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Novell Nsure Audit 1.0.2 Administration Guide 


About This Guide 


This guide describes Novell® Nsure™ Audit. The guide is intended for network administrators and 
is divided into the following sections: 


+ Chapter 1, “Overview,” on page 13 

+ Chapter 2, “System Architecture,” on page 17 

+ Chapter 3, “Installation,” on page 35 

+ Chapter 4, “Nsure Audit ¡Manager Plug-in,” on page 39 

+ Chapter 5, “Configuring the Logging System,” on page 51 

+ Chapter 6, “Logging eDirectory, NetWare, and File System Events,” on page 69 
+ Chapter 7, “Managing Applications that Log to Nsure Audit,” on page 73 

¢ Chapter 8, “Configuring System Channels,” on page 77 

+ Chapter 9, “Configuring Filters and Event Notifications,” on page 99 

+ Chapter 10, “Generating Queries and Reports,” on page 105 

+ Chapter 11, “Security and Non-Repudiation,” on page 139 

¢ Chapter 12, “Troubleshooting NSure Audit,” on page 147 

+ Appendix A, “Log Events,” on page 155 

+ Appendix B, “Using MySQL with Nsure Audit,” on page 165 

+ Appendix C, “Using Oracle with Nsure Audit,” on page 175 

+ Appendix D, “Using Microsoft SQL Server with Nsure Audit,” on page 177 
+ Appendix E, “Using JDBC Data Stores with Nsure Audit,” on page 179 

+ Appendix F, “Commands and Utilities,” on page 181 

+ Appendix G, “File Descriptions and Locations,” on page 191 


+ “Glossary” on page 199 


Documentation Updates 


For the most recent version of the Novell Nsure Audit 1.0.2 Administration Guide, see the Novell 
Documentation Web site, (http://www.novell.com/documentation/lg/nsureaudit/index.html). 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol a TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


About This Guide 11 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as UNIX*, should use forward slashes as required by your software. 
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Overview 


This section provides an overview of the Novell® Nsure™ Audit Report auditing system and 
reviews auditing fundamentals. 


+ “Product Overview” on page 14 


¢ “Auditing Background and Fundamentals” on page 15 


New Features in Version 1.0.2 


This section contains a listing of the new features available in version 1.0.2 of Nsure Audit. 


eDirectory Instrumentation Enhancements 


Several enhancements were made to the eDirectory™ instrumentation. These include the ability to: 


+ Choose between inline and journal logging of events. Inline mode logs events during the 
actual eDirectory process as they occur. Journal mode logs events in a separate thread, so the 
actual eDirectory process is not interrupted. Journal mode does not incur as much 
performance overhead, however, if the eDirectory server goes down, events in the journal that 
have not been processed are lost. 


+ Use an advanced grouping mechanism to group events related to an operation, providing 
easier searching and browsing of events. Events are now grouped by eDirectory transaction, 
which enables you to use the drill down feature of the Nsure Audit Report Application 
(LReport) to view all events associated with a transaction. 


+ Store the previous value of an eDirectory change. For example, when an attribute is deleted 
in eDirectory, Nsure Audit logs a delete attribute event in which the previous attribute value 
is stored in the data field of the event. 


+ Show a previous state of eDirectory before a change, based on logged information. For 
example, when a user is deleted from eDirectory, Nsure Audit logs a series of delete attribute 
events and a delete object event. Each of these events is grouped using the advanced grouping 
mechanism, making it easy to drill-down and view all events relating to this transaction. If it 
was later determined that this user was erroneously deleted, all removed attributes and their 
values could be retrieved from Nsure Audit, and the object could be reconstructed. 


+ Present attribute data in human-readable form. In previous versions, this information was in 
a binary format that was more difficult to access. 
New Event Fields 


Several additional fields were added to the Nsure Audit event structure to enhance querying and 
reporting. The Nsure Audit event structure now contains fields to report the originator of an event, 
the target and subcomponent affected by the event, as well as additional text and value fields. 
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Installation Enhancements 


The installation has been enhanced on all supported platforms to provide more flexible, integrated 
installs. You now have the option of installing components individually, configuring the Platform 
Agent during install, and installing the Nsure Audit iManager plug-in during the process. 


Microsoft SQL Server Support 


The Nsure Audit Secure Logging Server now has the ability to store events in the Microsoft* SQL 
Server database. The Nsure Audit iManager plug-in has been updated to support establishing this 
connection. 


Additional Supported Platforms 


The Secure Logging Server now supports Windows* 2003 Server, RedHat* AS and ES. 


JDBC Log Channel 


The JDBC* Log Channel Driver has been enhanced to support any JDBC-enabled database, 
enabling you to log events to a number of different data stores supporting JDBC. 


iManager Query and Verification Builder 


The Query and Verification Builder interface in iManager has received several enhancements, 
including the ability to use custom macros in SQL queries. These custom macros make is simple 
to convert from hex to decimal, use IP addresses in queries, and reference the Nsure Audit table 
name using a keyword. 


You can now also perform lightweight event verifications using the iManager interface. 


Event Cache Limit 


The Platform Agent now has additional parameters, contained in logevent.cfg, enabling you to 
specify the maximum size of the Nsure Audit event cache, and specify the action Nsure Audit takes 
when this limit is reached (stop logging, drop cache, or generate a warning). 


Optional Expanded Event Data Field 


The Platform agent has an additional parameter, contained in logevent.cfg, enabling you to specify 
the maximum size of the data field for each event. This option provides additional flexibility for 
applications logging events to Nsure Audit, as they can use an expanded event data field to 
increase the amount of information that can be stored with each event. 


This increased size is optional, so applications not requiring this functionality can leave this off for 
increased performance. 


Product Overview 


Novell Nsure Audit is a centralized, cross-platform auditing service. It collects event data from 
multiple applications across multiple platforms and writes the data to a single, non-repudiable data 
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store. Nsure Audit is also capable of creating filtered data stores. Based on criteria you define, 
Nsure Audit captures specific types of events and writes those events to secondary data stores. 


After you have collected the data, the next challenge is making sense of it. Using the query and 
report generating tools included with Nsure Audit Report, you can evaluate the information in your 
data stores to determine resource access, usage patterns, and overall compliance with 
organizational policies and regulations. 


Although queries and reports are invaluable in reviewing system activity, sometimes you need to 
know what is happening on your system as it happens. Therefore, Nsure Audit provides real-time 
notifications and real-time monitoring so you can assess and act on events as they occur. 


To some extent, Nsure Audit can even automate the process of responding to events in real time. 
The Critical Value Reset (CVR) channel allows you to flag Directory attributes with reset policies. 
If the value of a given attribute is changed, the CVR channel resets the value as per the policy 
defined in the CVR Channel object. For example, if your organization has a policy prohibiting 
security equivalence, you can create a CVR Channel object that automatically resets the Security 
Equals attribute to a null value if it is ever reset by an administrator. 


We understand that security standards are becoming increasingly rigorous. In order to manage 
liability and protect assets, organizations need to be able to provide a record of all their electronic 
proceedings and to identify when business policies are being violated. With real-time monitoring, 
notifications, and historical reporting capabilities, Novell Nsure Audit can give you the facts you 
need to make informed decisions and ensure the safety of your most valuable corporate asset—its 
information. 


Auditing Background and Fundamentals 


Novell Nsure Audit provides the tools you need to audit your organization’s compliance with 
internal and external policies and regulations; however, the use of secure logging technology such 
as Novell Nsure Audit does not, in itself, provide a complete auditing solution. Auditing is actually 
a human-driven process and Novell Nsure Audit is simply a tool to facilitate that process. 


Therefore, a complete auditing strategy requires that you: 


1. Define your organization’s security and usage policies. That is, determine what resources your 
users are allowed to access, what rights they have to those resources, and so forth. 


2. Log the events relevant to those policies. 


3. Configure Notification Filters to notify you in real time when a policy violation occurs. You 
can also use Notification Filters to route the events to the Critical Value Reset (CVR) channel 
to trigger an automated response to the violation. 


4. Perform regular compliance audits. This entails querying the data store for events relevant to 
your policies and then manually reviewing those events to determine if there are any 
violations of your corporate policies, when the violations occurred, and who was responsible. 


After you have implemented your auditing strategy, Novell Nsure Audit provides the information 
you need to assess overall compliance with organizational policies and to respond to policy 
violations in a timely manner. 


For example, in a secure environment, you might have a policy that prohibits assigning user rights 
using the Security Equals attribute because it makes it difficult to track and manage user rights. To 
audit this policy, you first configure Novell Nsure Audit to log the Change Security Equals event. 
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To facilitate a timely response to policy violations, you configure a Notification Filter to send a 
message to your mailbox any time the Change Security Equals event occurs. You also have the 
Notification Filter route the event to the CVR channel, which is configured to automatically reset 
the Security Equals attribute on User objects to a null value. 


You can monitor your organization’s compliance with this policy by using iManager or Nsure 
Audit Report to query the data store for Change Security Equals events. You then review the query 
results to determine when violations occurred and who was responsible. 
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System Architecture 


As a system administrator, you need a clear understanding of Novell® Nsure™ Audit architecture 
and functionality so you can better design, configure, and maintain your auditing system. This 
section provides a basic explanation of the components that make up Novell Nsure Audit. 


+ “Nsure Audit System Components” on page 17 
+ “Platform Agent” on page 18 
+ “Secure Logging Server” on page 22 
+ “Data Store” on page 27 
+ “Reporting Applications” on page 28 
+ “Configuration Objects” on page 28 
+ “Logging Services Container” on page 29 
+ “Logging Server Object” on page 30 
+ “Nsure Audit Attributes on the NCP Server Object” on page 30 
+ “Application Objects” on page 30 
+ “Channel Objects” on page 31 
+ “Notification Objects” on page 32 


Nsure Audit System Components 


Novell Nsure Audit has a highly modular architecture. Product functions are strategically divided 
among several different components to protect data integrity, optimize system performance, and 
provide maximum flexibility. Depending on usage and system resources, these components can be 
located on a single server or distributed across multiple servers. 


The full auditing system consists of the following components: 
¢ Platform Agent 
+ Secure Logging Server 
+ Data Store 
+ Reporting Applications 


The Platform A gent, Secure Logging Server, and data store are the central components in this 
structure. To log events from system applications to the data store, Novell Nsure Audit uses a 
client/server model. The Platform Agent, as the client piece, receives all log data from the system 
applications. It securely transmits this data to the Secure Logging Server, which then writes the 
information to the data store. 
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Separating the Platform Agent from the actual logging function provides the following 
advantages: 


+ You can run Platform Agents on multiple servers throughout the network while still 
maintaining a single data store. 


¢ Applications are not slowed down trying to commit an event to disk. Applications simply 
relay their log events to the Platform Agent, which then transmits the information the Logging 
Service. The Secure Logging Server assumes the full load of writing events to disk. 


¢ You can off-load the system’s logging overhead by running the Secure Logging Server on a 
dedicated server. 


The remaining Nsure Audit component includes two reporting applications: iManager and Nsure 
Audit Report. These supplementary tools allow you, as the administrator, to tap vital data from the 
system. 


The following sections provide a discussion of each component in the Nsure Audit architecture. 
+ “Platform Agent” on page 18 
+ “Secure Logging Server” on page 22 
+ “Data Store” on page 27 
+ “Reporting Applications” on page 28 


Platform Agent 


The Platform A gent (logevent) is the client portion of the Nsure auditing system. The Platform 
Agent receives logging information and system requests from authenticated applications and 
transmits the information to the Secure Logging Server. 


For more information on program binaries, see “Program Files” on page 191. For more 
information on how applications authenticate with Nsure Audit, see “Authenticating Logging 
Applications” on page 139. 


Ifthe connection between the Platform Agent and the Secure Logging Server fails, applications 
continue to log events to the local Platform Agent, just as they always do. The Platform A gent 
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simply switches into Disconnected Cache Mode and the Cache Module writes all logged events to 
the local cache until the connection is restored. The switch into Disconnected Cache Mode is 
completely transparent to the logging applications. For more information, see “Disconnected 
Mode Cache” on page 51. 
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Supported Applications 
Currently, the Platform Agent can receive log events from the following: 
+ Novell eDirectory™ 6.0 and higher 
+ DirXML® 2.0 
+ NetMail™ 3.5 and higher 
+ iChain® 2.2 SP1 
+ BorderManager? 3.8 
+ NetWare® NSS File System 
+ NetWare Traditional File System 


NOTE: Before an application can log events to Novell Nsure Audit, it must be able to authenticate with the 
system and report events in the auditing system's required format. For more information on the authentication 
process, see “Authenticating Logging Applications” on page 139. For more information on event structure, see 
“Event Structure” on page 155. 
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Supported Platforms 


The Nsure Audit architecture requires that the Platform Agent be locally installed on every server 
or workstation running applications that log events to Nsure Audit. 


This design ensures secure, uninterrupted logging because the logging applications are insulated 
from external communication failures. The Platform Agent is supported on the following 
platforms: 


+ NetWare 4.2 or later 


+ Windows* NT, Windows 2000 and Windows 2000 Server, Window XP, Windows 2003 
Server. 


+ 


SUSE? Linux* Enterprise Server 8 
¢ Solaris 8 and 9 


+ RedHat* Linux 7.3, 8, AS, and ES 2.1 


20 Novell Nsure Audit 1.0.2 Administration Guide 


Secure 


Logging 
Server 


eDirectory 
NetWare NSS 
File System 


NetWare Traditional 
File System 


Platform Agent 


Disconnected | 
Mode l 
Cache © 


NetWare 
Windows 
Solaris 
Linux 


Platform Agent Configuration 


The Platform Agent is not configured through eDirectory. Instead, the Platform Agent’s 
configuration settings are stored in a simple, text-based configuration file (logevent). This makes 
the Platform Agent small, unobtrusive, and self-contained—that is, it has no external dependencies 
so it is always available to receive logged events. Storing the Platform Agent’s configuration in a 
text-based file also allows the Platform Agent to eventually run on platforms that do not have 
eDirectory support. 


The logevent file stores the host name or IP address of the logging server, the Disconnected Mode 
Cache directory, port assignments, and other related information. For more information on 
Platform Agent configuration settings, including a sample logevent file, see “Logevent” on 

page 52. 
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Secure Logging Server 


The Secure Logging Server (lengine) is the server component in the Nsure auditing system.The 
Secure Logging Server manages the flow of information to and from the Nsure auditing system— 
that is, it receives incoming events and requests from the Platform Agents, logs information to the 
data store, monitors designated events, and provides filtering and notification services. It can also 
be configured to automatically reset critical system attributes according to a specified policy. For 
more information on program binaries, see “Program Files” on page 191. 


The Secure Logging Server supports the following platforms: 
+ NetWare 6.5 
+ NetWare 6.0 SP3 or later 
+ NetWare® 5.1 SP6 or later 
+ Windows 2003 Server 
+ Windows 2000 Server SP4 or later 
¢ Solaris 8 and 9 
+ SUSE Linux Enterprise Server 8 
+ Red Hat Linux AS and ES 2.1 


The Secure Logging Server is configured through eDirectory. The Logging Server object contains 
all the configuration settings for the Secure Logging Server. Consequently, the logging server must 
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Event Management 


have access to eDirectory and the Logging Server object before it can launch the Secure Logging 
Server. For more information, see “Configuring the Secure Logging Server” on page 54. 


NOTE: To minimize server reaction time and ensure high system performance, you should create a local 
replica of the Logging Server object and its associated objects on the logging server. 


Applications 
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The Secure Logging Server provides the following services: 
+ Event Management 
+ Logging and Notification Channels 
+ Logging Service 
+ Notification Service 


A description of each service follows. 


The Event Manager receives all incoming data from the Platform Agents and directs the 
information to the appropriate service. It also routes outgoing information from the logging server 
to the appropriate Platform Agent. 


This mode of operation is very efficient. Indeed, the Event Manager service is designed to 
maximize system efficiency and performance. Depending on the Secure Logging Server’s cache 
settings, the Event Manager can handle more than 60,000 events per second. For information on 
configuring the Secure Logging Server’s cache, see “Logging Server Objects” on page 55. 
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Logging and Notification Channels 


The Secure Logging Server uses channels to log events and provide event notification. For 
example, to e-mail events, the logging server uses the SMTP channel; to log events to an Oracle* 
database, the logging server uses the Oracle channel; and so forth. 


Nsure Audit currently supports the following channels: 


SMTP Oracle (Available on NetWare using the Java 
JDBC channel driver.) 

SNMP File 

Java Syslog 

MySQL CVR (Critical Value Reset) 

JDBC Microsoft* SQL Server 


Third-party channels can be easily incorporated into this structure. For more information, see the 
Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 


Channels are configured in eDirectory using Channel objects. Each Channel object stores the 
information the logging server needs to use its associated channel. For further information, see 
“Channel Objects” on page 31. 
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Logging Service 
The Logging Service is the only Nsure Audit component that can write to the data store. This 


design protects log data from unauthorized record modification, insertion, or deletion. 


To ensure that the auditing system maintains accurate records, the Event Manager delivers all 
incoming data directly to the Logging Service. All events and requests must be recorded in the data 
store before the Event Manager sends them to the Monitoring or Notification services. 


Write times vary per storage option. On a P4 Xeon class server, the Logging Service can write 
approximately 60,000 events per second to a flat file in a file system or 3,000 events per second to 
a MySQL* database. 
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Using the logging server’s channels, the Logging Service can write events to the following storage 
devices: 


¢ Flat file in the file system 

+ MySQL database 

+ Oracle database 

+ Syslog database 

+ Microsoft* SQL Server database 


NOTE: Although you can actually use any channel to log events, for performance reasons we recommend that 
you only log to the Syslog, MySQL, Oracle, Microsoft SQL Server, or File channels. 


For more information on configuring these channels, see Chapter 8, “Configuring System 
Channels,” on page 77. 


Notification Service 


The Notification Service provides two kinds of notification: filtered and heartbeat. Filtered 
notification tells you when a specific event has occured; heartbeat notification tells you when an 
event has not occured. 


In both cases, the Notification Service identifies the event and routes it to specific channels. For 
example, the Notification Service can send a notification event to a system administrator’s 
mailbox or cell phone using the SMTP channel, route the event to the network management system 
as an SNMP trap, or write the event to a flat file in the file system or to a Syslog, MySQL, Oracle, 
or SQL Server database. 
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Both filtered and heartbeat notifications are configured in eDirectory using Notification Filter and 
Heartbeat objects. These objects define event criteria and designate which Channel objects are 
used to provide event notification. For more information, see “Notification Objects” on page 32. 
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Using its available channel drivers, Nsure Audit can log events to the following storage devices: 


Data Store 


¢ Flat file in the file system 

+ MySQL database 

+ Oracle database 

+ Microsoft SQL Server database 
+ Syslog database 


Nsure Audit protects log data from record modification, insertion, or deletion by allowing only one 
program component, the Logging Service, to write events to the data store. Nsure Audit also limits 
read access to log data by controlling which applications can request log information through the 
auditing system. However, the security of the data store itself is up to you and the security 
mechanisms provided by the database. Although Nsure Audit maintains an internal security 
perimeter around the data store, it is possible for individuals or applications to directly access the 
data store outside the boundaries of the auditing system. Therefore, file system rights, directory 
rights, and the database’s internal security features must be carefully configured to secure your log 
data. 


For further information, see “Configuring the Data Store” on page 64. 
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Reporting Applications 
Nsure Audit provides two tools that can be used to generate reports from MySQL, Microsoft SQL 
Server, and Oracle data stores. 
NOTE: Any standardized syslog reporting tool can be used to generate reports from syslog data stores. 


+ Nsure Audit Report is a Windows-based, ODBC-compliant application that can generate 
reports from Oracle and MySQL data stores. It includes predefined reports and can be 
integrated with Crystal Reports* to provide full custom reporting capabilities. 


+ ¡Manager is a browser-based, JDBC*-compliant application that can generate reports from 
MySQL data stores. 


For more information on generating reports with these tools, see Chapter 10, “Generating Queries 
and Reports,” on page 105. Any standardized syslog reporting tool can be used to generate reports 
from syslog data stores. 
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When you install the Secure Logging Server, the installation program extends the eDirectory 
schema to include the following objects: 


Event Manager 
Notification 


Configuration Objects 


+ Logging Services Container (page 29) 

+ Logging Server Object (page 30) 

+ Nsure Audit Attributes on the NCP Server Object (page 30) 
+ Application Objects (page 30) 
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+ Channel Objects (page 31) 
+ Notification Objects (page 32) 


Nsure Audit uses these objects to store and look up system configuration parameters. 
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IMPORTANT: The Platform Agent is not configured through eDirectory. Instead, the Platform Agent's 
configuration settings are stored in a simple, text-based configuration file (logevent). For more information, see 
“Logevent” on page 52. 


Logging Services Container 


During your initial installation, Nsure Audit extends the eDirectory schema and creates the 
Logging Services container at the root of your directory tree. Because it is part of Nsure Audit, 
there can only be one Logging Services container per tree and, as the logging system container, it 
only contains Nsure Audit component objects. 


Locating all logging system components in the Logging Services container is ideal for 
organizations that need a simple, easy-to-manage logging system. It also suits organizations that 
are implementing Nsure Audit as an auditing solution and, for security reasons, want to centrally 
manage their system. To facilitate distributed administration, however, Nsure Audit components 
can also be created and managed outside the Logging Services container. 


If the Logging Services container is deleted, it can only be re-created by re-running AuditExt. For 
more information, see “AuditExt” on page 185. 


Logging Server Object 


hal 
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In eDirectory, the Logging Server object represents the physical server where you installed the 
Secure Logging Server. However, because the Logging Server object is specific to Nsure Audit, it 
does not replace the NCP Server object. Instead, each Logging Server object is associated with an 
NCP Server object. 


The Logging Server object is represented as a container with server attributes; it can contain Nsure 
Audit objects and it stores all the properties and attributes for the Secure Logging Server. For 
information on creating and configuring the Logging Server object, see “Configuring the Secure 
Logging Server” on page 54. 


Nsure Audit Attributes on the NCP Server Object 
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During installation, Nsure Audit extends the definition of the NCP Server object to include the log 
settings for eDirectory, NetWare, traditional file system, and NSS events. These settings are found 
under the NCP Server object’s Nsure Audit tab. 


The Nsure Audit screen has separate menus for NetWare, Filesystem, and eDirectory events. Each 
menu lists the events that fall in its respective category. To configure the logging server to log a 
particular type of event, simply mark the event’s check box and click Apply. The logging server 
automatically begins logging the marked events. 


NOTE: You do not need to restart the logging server to effect changes to NSure Audit attributes in the NCP 
Server object. 


For more information on configuring the NCP Server object’s Nsure Audit attributes, see Chapter 
6, “Logging eDirectory, NetWare, and File System Events,” on page 69. 


Application Objects 
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Application objects are associated with applications that log to or request information from Nsure 
Audit. These objects store the information required by the logging server to authenticate logging 
applications. They also identify which users have rights to monitor the applications’ events and 
they store the applications’ log schemas. 


NOTE: The log schema catalogs the events that can be logged for a given application. For more information, 
see “Log Schema Files” on page 161. 


Application objects are usually created automatically when either Nsure Audit or the logging 
application is installed. If necessary, they can also be manually added to the tree using iManager. 


During installation, Novell Nsure Audit automatically creates Application objects for itself (the 
Naudit Instrumentation), the eDirectory Instrumentation, and the NetWare Instrumentation. The 
Naudit Instrumentation allows Nsure Audit to audit its own events such as creating Channel or 

Notification objects. The eDirectory Instrumentation manages logging of eDirectory events and 
the NetWare Instrumentation provides logging for NetWare and file system events. 


NOTE: The NetWare Instrumentation is only installed on NetWare versions. 
Application objects can be created only within Application containers. Novell Nsure Audit creates 


the Application objects for the Naudit, eDirectory, and NetWare Instrumentations in the 
Application container under Logging Services. 


For more information on creating and configuring Application objects, see Chapter 7, “Managing 
Applications that Log to Nsure Audit,” on page 73. 


Novell Nsure Audit 1.0.2 Administration Guide 


Application Containers 


Application containers provide a reference point through which the logging server can locate 
Application objects. At startup, the logging server scans its list of Application containers and loads 
the included Application object configurations in memory where it can quickly access the 
information when authenticating applications. For information on configuring the Application 
Container property on the logging server, see “Logging Server Objects” on page 55. 


IMPORTANT: The logging server scans its list of Application containers only at startup. Therefore, if you 
create or modify an Application object, you must restart the logging server. For information on restarting the 
logging server, see “Secure Logging Server Startup Commands” on page 182. 


The Application container under Logging Services is automatically created during installation; 
however, additional Application containers can be created anywhere in the tree. 


Channel Objects 


Channel objects store the information the logging server needs to use channel drivers. For 
example, a MySQL Channel object contains the IP address or host name of the MySQL database 
server; a username and password for connecting to the server, the name of the database and table, 
and any other relevant information. An SMTP Channel object, on the other hand, includes the 
address of the SMTP server; a username and password; and the recipient, sender, subject, and body 
of the log message. 


Nsure Audit is designed so you can create multiple Channel objects for any given channel. This 
means you can apply different channel configurations to different functions or events. For 
instance, you can configure the logging server to use one MySQL Channel object to add events to 
the central data store and configure a Notification Filter to use another MySQL Channel object to 
create a filtered log. 


The available types of Channel objects are: 


= + 
E» SMTP L Oracle (Only available on NetWare using the 
JDBC Java channel.) 
L 
‘T, SNMP File 
+ * 
L Java L Syslog 
` + 
“MySQL T cvr 
+ + 
L JDBC L Microsoft SQL Server 


Additional Channel objects can be easily incorporated in this model. For more information, see the 
Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 


Of particular note is the Critical Value Reset (CVR) Channel object. In configuring a CVR 
Channel object, you can flag an attribute in eDirectory with a reset policy. If the value of that 
specific attribute is changed, the CVR channel automatically resets the value as per the policy 
defined in the CVR Channel object. 
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Channel Containers 


The logging server looks for Channel objects only in Channel containers; therefore, Channel 
objects can only be created within Channel containers. For information on creating and 
configuring Channel objects, see Chapter 8, “Configuring System Channels,” on page 77. 


Channel containers provide a reference point through which the logging server can locate Channel 
objects. At startup, the logging server scans its list of Channel containers and loads the included 
Channel object configurations and their drivers. The drivers and Channel object configurations are 
then available to provide event notification and to log events. Note that the logging server only 
loads those drivers that have Channel objects in supported Channel containers. For information on 
configuring the Channel Container property on the logging server, see “Logging Server Objects” 
on page 55. 

IMPORTANT: The logging server scans its list of Channel containers only at startup. Therefore, if you create 


or modify a Channel object, you must restart the logging server. For information on restarting the logging 
server, see “Secure Logging Server Startup Commands” on page 182. 


The Channel container under Logging Services is automatically created during installation; 
however, Channel containers can be created anywhere in the tree. 


Notification Objects 


Nsure Audit provides two kinds of event notification: 
¢ Filtered Notification 


+ Heartbeat Notification 


Filtered notification tells you when a specific event has occured; heartbeat notification tells you 
when an event has not occured. The following sections discuss the objects associated with each 
notification. 


Notification Filter Objects 


B 


Notification Filter objects store the criteria the logging server uses to filter system events. They 
also designate which Channel objects the logging server uses to provide event notification. 


When you define a Notification Filter, you specify a value for a given event field. To narrow the 
results, you can define values for multiple event fields. Using standard “and,” “or,” and “not” 
operators, you can define up to 15 event conditions. For more information on the event fields, see 
“Event Structure” on page 155. 


After you define the filter criteria, you must select the object’s notification channel. Notification 
channels are simply the Channel objects the logging server uses to provide event notification. For 
example, if you want to e-mail filtered events to your mailbox, you must select an SMTP Channel 
object that is configured to relay events to your e-mail address. Similarly, if you want to log filtered 
events to a MySQL database, you must select a MySQL Channel object that is configured to write 
events to the correct database and table. You can define multiple notification channels for any 
given Notification Filter. 


The logging server looks for Notification Filter objects only in Notification containers; therefore, 
Notification Filter objects can be created only within Notification containers. For information on 
creating and configuring Notification Filter objects, see Chapter 9, “Configuring Filters and Event 
Notifications,” on page 99. 
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Heartbeat Objects 


Ee 


Heartbeat objects define which Event IDs the logging server looks for and the interval at which 
those events must occur. If an event does not occur within the designated interval, the logging 
server generates a heartbeat event. 


The heartbeat event is automatically logged to the central data store; however, if you want to 
receive notification that a specific event has not occurred, you must create a Notification Filter for 
the corresponding heartbeat event. 


The logging server looks for Heartbeat objects only in Notification containers; therefore, 
Heartbeat objects can be created only within Notification containers. For information on creating 
and configuring Heartbeat objects, see Chapter 9, “Configuring Filters and Event Notifications,” 
on page 99. 


Notification Containers 


(3 


Notification containers provide a reference point through which the logging server can locate 
Notification objects. At startup, the logging server scans its list of Notification containers and 
loads the included Notification object configurations in memory where it can quickly access the 
information to filter or monitor events. For information on configuring the Notification Container 
property on the logging server, see “Logging Server Objects” on page 55. 


IMPORTANT: The logging server scans its list of Notification containers only at startup. Therefore, if you 
create or modify a Notification object, you must restart the logging server. For information on restarting the 
logging server, see “Secure Logging Server Startup Commands” on page 182. 


The Notification container under Logging Services is automatically created during installation; 
however, Notification containers can be created anywhere in the tree. 
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Installation 


This section reviews the system requirements and installation procedures for each platform. 
+ “System Requirements” on page 35 
+ “Preparing to Install” on page 37 
+ “Installing Novell Nsure Audit” on page 37 
+ “Configuring the Platform Agent after Installation” on page 38 


For a listing of all the program files, see “Program Filenames and Directories” on page 193. 


System Requirements 


The following sections outline the system requirements for the Secure Logging Server, Platform 
Agent, and Novell eDirectory™ and NetWare® Instrumentations. 


Secure Logging Server 


The Secure Logging Server is the server component in the Nsure™ auditing system. It is installed 
on the server you want to manage the flow of information to and from the auditing system. 


The server where you install the Secure Logging Server must meet the following requirements: 


Requirement Description 
Operating System NetWare 6.5 
NetWare 6.0 SP3 or later 
NetWare 5.1 SP6 or later 
Windows* 2003 Server 
Windows 2000 SP3 
Solaris* 8 and 9 
SUSE? Linux* Enterprise Server 8 
RedHat* Linux AS and ES 2.1 
eDirectory Novell eDirectory version 8.5 or higher 


Processor A single processor, server-class PC with a Pentium* Il 400 Mhz 
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Requirement Description 
Disk Space At least 40 MB 


The space you need for your data store depends on a number of factors 
which include, but are not limited to, how many events per second you are 
storing and how long you want to keep the data. For MySQL, a system that 
generates around 80 events per second with an average event size of 80 
bytes consumes approximately 500 MB of disk space for the database 
table and 150 MB for the index in a 24 hour period. 


RAM 512 MB 


Platform Agent 


The Platform Agent is the client portion of the Nsure auditing system. It is a shared library that is 
used by instrumented applications to log events to Novell Nsure Audit. It does not have any system 
requirements other than disk space for the Disconnected Mode Cache. (eDirectory is not required.) 


The Platform Agent must be installed on every server or workstation running applications that log 
events to Nsure Audit. The Platform Agent supports the following platforms: 


+ NetWare 4.2 or later 

+ Windows NT, Windows 2000 and Windows 2000 Server, Window XP, Windows 2003 Server. 
+ SUSE Linux Enterprise Server 8 

¢ Solaris 8 and 9 


+ RedHat Linux 7.3, 8, AS, and ES 2.1 


eDirectory Instrumentation 


The eDirectory Instrumentation enables Nsure Audit to log eDirectory events. To avoid receiving 
duplicate entries for eDirectory events, enable the do not sent replicated events option. To enable 
this, open the Nsure Audit tab of your NCP Server object and check the "Do not send replicated 
events" checkbox. To log non-replicated events (such as logins), it must be installed on each 
individual server for which you want to log non-replicated events. 


eDirectory Instrumentation also requires that the Platform Agent be installed on the same machine. 
The eDirectory Instrumentation supports the following versions of the Directory: 

+ NDS? 6.x 

¢ NDS 7.x 

+ NDS 8.x 

¢ eDirectory 8.6 (NetWare, Windows, Linux, and Solaris) 

¢ eDirectory 8.7 (NetWare, Windows, Linux, and Solaris) 


NetWare Instrumentation 
The NetWare Instrumentation allows Nsure Audit to log NetWare and file system events. It must 


be loaded on every server for which you want to log NetWare and file system events. It also 
requires that the Platform Agent be installed on the same machine. 
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The NetWare Instrumentation supports the following versions of NetWare: 


+ 


+ 


+ 


+ 


NetWare 4.2 SP9 or later 
NetWare 5.1 SP6 or later 
NetWare 6.0 SP3 or later 
NetWare 6.5 


Preparing to Install 


Before installing Novell Nsure Audit, you should run through the following checklist: 


+ 


+ 


Make sure the tree is synchronized and error free. For detailed information on eDirectory 
Health Check procedures, see “Keeping eDirectory Healthy” (http://www.novell.com/ 
documentation/lg/edir87/edir87/data/a5ziqam.html). 


Make sure you have Admin level rights to the root of the tree where you plan to install Novell 
Nsure Audit. You must provide the administrator username and password during installation 
so the installation program can extend the schema. 


Installing Novell Nsure Audit 


To Install Novell Nsure Audit, follow the instructions contained in the Quick Start Guide for each 
supported platform. These guides are available on the Nsure Audit installation CD, or at http:// 
www.novell.com/documentation/nsureaudit/index.html (http://www.novell.com/documentation/ 
nsureaudit/index.html). 


Activating Novell Nsure Audit 


This section contains instructions on activating Novell Nsure Audit on all supported platforms. 


+ 


+ 


+ 


+ 


+ 


“Activating Novell Nsure Audit on NetWare” on page 37 
“Activating Novell Nsure Audit on Windows” on page 38 
“Activating Novell Nsure Audit on Linux” on page 38 


“Activating Novell Nsure Audit on Solaris” on page 38 


“Activating Novell Nsure Audit Report (LReport)” on page 38 


Activating Novell Nsure Audit on NetWare 


1 


When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to sys:\system\naudit.nlf, or if you installed to a location other than the default, 
to the folder containing lengine.nlm. 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 


Server on NetWare” on page 182. When the server restarts, activation messages no longer 
appear. 
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Activating Novell Nsure Audit on Windows 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to C:\program files\novell\nsure audit\naudit.nlf, or if you installed to a 
location other than the default, to the folder containing lengine.exe. 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on Windows” on page 183. When the server restarts, activation messages no longer 
appear. 


Activating Novell Nsure Audit on Linux 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to /opt/novell/naudit/naudit.nlf, or if you installed to a location other than the 
default, to the folder containing lengine. 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on Linux” on page 183. When the server restarts, activation messages no longer 
appear. 


Activating Novell Nsure Audit on Solaris 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to /opt/novell/naudit/naudit.nlf, or if you installed to a location other than the 
default, to the folder containing lengine. 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on Solaris” on page 183. When the server restarts, activation messages no longer 
appear. 


Activating Novell Nsure Audit Report (LReport) 


1 In LReport, click File >Import, then select Application Schemata. 


2 Specify the IP address of your Nsure Audit logging server, then select a language. Activation 
messages no longer appear in Ireport. 


Configuring the Platform Agent after Installation 


The Novell Nsure Audit installation program configures the current server (localhost) as the 
Platform Agent’s log host (that is, the Secure Logging Server the Platform Agent connects to). 


Therefore, if the current server is not the Platform Agent’s log host, you must edit the agent’s 
configuration file, logevent, so the LogHost setting points to the IP address or host name of the 
Secure Logging Server. 


Details on the logevent configuration file is contained in each Quick Start guide. For more 
information, see “Logevent” on page 52. 
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Nsure Audit iManager Plug-in 


Novell® Nsure™ Audit is managed and configured using Novell iManager. Novell iManager is a 
Web-based application that is used to manage, maintain, and monitor Novell eDirectory™ through 
wired and wireless devices. With the Nsure Audit iManager plug-in, iManager can be used to 
manage Nsure Audit objects in eDirectory. 


The Nsure Audit iManager plug-in is included with the Nsure Audit 1.0.2 installation. 


System Requirements 


Installing and using the Nsure Audit iManager Plug-in requires the following: 


+ ¡Manager 2.0.1. See the Novell ¡Manager Product Page (http://www.novell.com/products/ 
consoles/imanager/index.html) for requirements and download instructions. 


Opening iManager 


1 Access ¡Manager from a Web browser, using the following URL: 
https://IP_or_DNS/nps/iManager.htm] 
where JP_or_DNS is the IP address or DNS name of your ¡Manager server. 
For example: 
http://192.168.0.5/nps/iManager.html 


2 Log in using your username and password. 


In iManager, you have access only to those roles for which you have assigned rights. To have full 
access to all Novell iManager features, you must log in as a user with Admin level rights to the tree. 


iManager Interface 
The iManager 2 interface has two administrative views: the Roles and Tasks view and the Object 


view. Both views are task driven. 


The Roles and Tasks view provides a list of available roles and their associated tasks. The user does 
not need to browse the tree to find an object to administer; instead, the plug-in for that task presents 
the necessary tools and interface to perform the task. 


NOTE: You only have access to those tasks for which you have assigned rights. 
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User: admin.sim.SIMLS-TREE. 


@ Roles and Tasks Novell. ¡Manager www.novell.com 
= — Www novencom 

+ Print al Version 2.0.0 

El LDAP 

+ Licenses 


You are currently logged in as user admin.sim in the Novell eDirectory SIMLS-TREE tree 
[+] NetStorage with Unrestricted access, 


+] NetWare Product Usage 


+) NMAS 


+) Novell Certificate Access 
+] Novell Certificate Server 


= Nsure Audit 

Queries 

Query Configuration 
Server Configuration 


=] Partition and Replicas 
H Rights 


+ Schema 


+ Servers 


E SMS 


+ SNMP 


+ 


Storage 

+ UDDI Administration 

UDDI Inquiry 

y UDDI Publish & User Access 


Cantral +! 


f: A Start| | €l WebAdmin - Microsoft In... e Novell iManager - Mic... Y iman_objectivew - Paint | El Nsure Audit Report | 


E 


The Nsure Audit role includes the following tasks: 


Task Description 


Query Configuration The Query Configuration task allows you to define your available 
databases, import log schemas, and set general report settings such 
as query limits and default sort order. For more information, see “Using 
¡Manager to Generate Queries” on page 105. 


Queries The Queries task guides you through the process of defining and 
running queries. For more information, see “Using iManager to 
Generate Queries” on page 105. 


Server Configuration The Server Configuration task allows you to configure a specific 
logging server. You can also create Notification, Channel, and 
Application objects in the logging server's supported containers. For 
more information, see “Configuring the Logging ServeriniManager” on 
page 57. 


The Object view displays objects by context. To move up or down in the tree, click the navigation 
arrows. You can also navigate the tree by entering a specific context in the Context field. 


When you select an object, ¡Manager displays the tasks that can be performed on that object. Select 
a task to open the corresponding menu. 
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BE lalele [Ea] 


Novell. 


| User: admin.SIM.SIMLS-TREE. 


neo Browse \ Search ee E Novell. ¡Manager > www.novell.com 
i E A A XA Version 2.0 

| Context: [root] č  ž O0 

| Name | | 

| Type: | All Available Types | You are currently logged in as user admin.SIM in the Novell eDirectory SIMLS-TREE tree 
| Appl with Unrestricted access, 


| Objects: Multiple Select 


oy 
$ ¿SIMLS-TREE. 


£ Es sm 
sra Security 


Copy Object 

Create Extended Object 
Create Object 

Delete Object 

Modify Inherited Rights Filter 
Modify Object 

Modify Trustees 

Object Extensions 
Rename Object 

Rights To Other Objects 
View Effective Rights 


<< Previous | NEXUS] [ 100 | 


IMPORTANT: Do not use the browser's Back and Forward buttons while using iManager. Because ¡Manager 
is a Web-based application, it is important to navigate through the interface using the buttons inside the 
application, not the buttons on the browser's toolbar. 


Performing Basic Administrative Functions in ¡Manager 


This section reviews how to perform the following administrative functions: 
+ Creating Objects in ¡Manager 
+ Renaming Objects in ¡Manager 
¢ Deleting Objects in ¡Manager 
+ Modifying Object Attributes in ¡Manager 


IMPORTANT: Do not use the browser's Back and Forward buttons while using iManager. Because ¡Manager 
is a Web-based application, it is important to navigate through the interface using the buttons inside the 
application, not the buttons on the browser's toolbar. 


Creating Objects in ¡Manager 

4 Click the View Objects [$ button on the ¡Manager toolbar. 

2 In the Object view, select the container where you want to create the object. 

3 Select Create Object from the Task list. 

4 In the Create Object screen, select the type of object you would like to create then click OK. 
If the object does not appear in the Creation list: 
4a Click Add Object Class to Creation List. 
4b Locate the object in the Class List. 
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TIP: All Nsure Audit objects begin with NAudit. 
4c Click Next. 


The summary screen explains that the information for this object class is stored in an 
XML file on the iManager server. 


4d Click Finish to add the object to the Creation List. 
4e In the confirmation screen, click OK. 

The object now appears in the Creation List. 
Specify the object name. 
When finished, click OK. 


Renaming Objects in iManager 


1 


2 
3 
4 


6 


Click the View Objects E button on the iManager toolbar. 

In the Object view, select the object you want to rename. 

Select Rename Object from the Task list. 

Specify the new object name. 

IMPORTANT: Do not include the context with the new object name. 

If you want, you can mark the rename options. 

5a The Save Old Name option saves the original name as an attribute on the object. 


5b The Create an Alias in Place of Renamed Object option renames the current object and 
creates an alias of that object using the original name. 


When finished, click OK. 


Deleting Objects in ¡Manager 


1 
2 
3 
4 


Click the View Objects button [e on the iManager toolbar. 
In the Object view, select the object you want to delete. 
Select Delete Object from the Task list. 

Click OK to delete the object. 
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1 
2 
3 


Click the View Objects button [e on the iManager toolbar. 
In the Object view, select the object you want to modify. 
Select Modify Object from the Task list. 

The configuration window displays the object’s attributes. 
Modify the object’s attributes. 


IMPORTANT: If you modify attributes in multiple tabs, you must click Apply in each screen to save your 
changes. 


When finished, click OK. 
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Configuring the Secure Logging Server 


The Secure Logging Server is the server component in the Nsure auditing system.The Secure 
Logging Server manages the flow of information to and from the Nsure auditing system—that is, 
it receives incoming events and requests from the Platform Agents; logs information to the data 
store; monitors system events; and provides filtering and notification services. For more 
information, see “Configuring the Secure Logging Server” in the Novell Nsure Audit 1.0.2 
Administration Guide. 


The Secure Logging Server can be configured using the Nsure Audit Interactive Configuration 
Guide link in iManager, which walks you through an interactive setup of your Secure Logging 
Server, Log Channels, Notifications, and Log Applications: 


Server Configuration: [@ Logging Server 


LS Channels \ Notifications \ Log Applications 


Summary | Configuration | Memory | Status 


This summary gives you an overview of how your Secure Logging Server is configured. 
If you wish to configure it you may select Channels, Notifications, Applications above, 


or you may use the Secure Logging Server,Interactive Configuration Guide to be 
guided through the configuration process i 


To configure the Secure Logging Server Manually: 
1 Click the Roles and Tasks button |! on the ¡Manager toolbar. 


2 Inthe Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


3 Select the Secure Logging Server object and click OK. 


+ Click the Object History button LAI to see a list of Logging Server objects that have been 
selected during this iManager session. 


or 


+ Click the Object Selector button [Al to locate the object in the directory tree. To move up 
or down in the tree, click the navigation arrows. You can also search the tree by entering 
the object name and context in the Search frame. 


4 Click General to modify the logging server’s Configuration, Memory, and Status attributes. 
IMPORTANT: You must click Apply in each screen to save your changes. 
4a In the Configuration menu, you can configure the following attributes: 


+ Host Server is the distinguished name of the NCP Server object associated with the 
current logging server. This setting defaults to the server on which the Secure 
Logging Server was installed. 


+ Driver Directory is the directory in which the channel drivers (Igd* nlm) are 
located. The default directory on NetWare is sys:\system\ . 


+ Log Channel is the Channel object the logging server uses to create the central data 
store 
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+ Secure Logging Certificate File is the path and filename for the Logging Server 
Certificate 


+ Secure Logging PrivateKey File is the path and filename for the Secure Logging 
Certificate’s private key file. 


4b In the Memory menu, you can configure the following attributes: 


+ Minimum is the amount of memory the server automatically allocates at boot time 
to handle logging processes. 


+ Normal is the amount of memory the server can immediately allocate if logging 
traffic exceeds the Minimum memory setting 


+ Maximum is the maximum amount of memory that can be allocated to logging 
processes. 


4c In the Status menu, you can enable or disable the Secure Logging Server. 


5 Click Channels to select the logging server’s supported Channel containers and to create, 
modify, or delete Channel objects. 


For specific examples, see “Creating and Configuring File Channel Objects” on page 44 and 
“Creating and Configuring SMTP Channel Objects” on page 46. For more information on 
Channel objects, see “Configuring System Channels” in the Novell Nsure Audit 1.0.2 
Administration Guide. 


6 Click Notifications to select the logging server’s supported Notification containers and to 
create, modify, or delete Notification objects. 


For specific examples, see “Configuring Heartbeat Notification Objects” on page 47 and 
“Configuring Notification Filter Objects” on page 48. For more information on Notification 
objects, see “Configuring Filters and Event Notifications” in the Novell Nsure Audit 1.0.2 
Administration Guide. 


7 Click Log Applications to select the logging server’s supported Application containers and to 
create, modify, or delete Application objects. 


NOTE: Application objects are usually created automatically when either Nsure Audit or the logging 
application is installed. If necessary, however, they can also be manually added to the tree through the 
administrative interface. 


For more information on Application objects, see “Application Objects” in the Novell Nsure 
Audit 1.0.2 Administration Guide 


8 When finished, click OK. 


For an explanation of each attribute, see “Logging Server Objects ”in the Novell Nsure Audit 1.0.2 
Administration Guide. 
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The File channel allows the logging server to log events directly to file in raw format or to translate 
those events to a human-readable log file. Raw files contain the event data in comma-delimited 
format. Translated log files contain the event descriptions rather than the event data and can be 
dynamically localized into other languages. For more information, see “File” in the Novell Nsure 
Audit 1.0.2 Administration Guide. 


To create and configure the File Channel object: 


4 Click the Roles and Tasks button J on the ¡Manager toolbar. 
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2 Inthe Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


3 Select the Secure Logging Server object and click OK. 


+ 


oo nrtoaodnw A 


Click the Object History button LEI to see a list of Logging Server objects that have been 
selected during this iManager session. 


or 


Click the Object Selector button [SI to locate the object in the directory tree. To move up 
or down in the tree, click the navigation arrows. You can also search the tree by entering 
the object name and context in the Search frame. 


In the Server Configuration screen, click Channels. 

Mark the Channels container and click New Channel, then click OK. 

In the New Channel window, select File Channel. 

Enter a name for the Channel object and click OK. 

In the Channels screen, click the plus icon I+ to expand the Channels container. 


Select the File Channel object and click Edit Channel. 


10 Configure the File channel attributes. 


+ 


+ 


Log File is the path to the log file. 


IMPORTANT: All file data stores are named “log.” Therefore, if you have multiple File Channel 
objects, you must point them to different paths. 


Purge Log Files After is the log file’s life span. The logging server deletes all log files 
older than the designated time period. 


Roll When Log File Reaches is the log file’s maximum file size. When a log file reaches 
the designated file size, the File driver renames the file and creates a new log file. 


In Translated mode, the File driver writes the event description to the data store. 


In Raw mode, the File driver writes the event data in comma-delimited format to the data 
store. 


Translated Language is the language in which the events descriptions for Translated log 
files are written to file. 


IMPORTANT: This option is only valid in Translated mode. 


Status allows you to enable or disable the current File Channel object. 


41 When finished, click OK. 


For more information on each attribute, see “File Channel Object” in the Novell Nsure Audit 1.0.2 
Administration Guide. 


Logging Events to the File Channel 


If you want the Secure Logging Server to log events to the File channel: 


1 In the Server Configuration screen, click General > Configuration. 


2 In the Log Channel field, select the File Channel object. 


Click the Object Selector button MN to locate the File Channel object in the directory tree. (Go 
to the Logging Services > Channels container.) 
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3 When finished, click OK or Apply. 


If you want to log filtered events to the File channel: 


1 Create a Notification Filter object that filters the events you want to write to the filtered data 
store. 


2 Select the File Channel object as one of the Notification Filter object’s notification channels. 


For information on creating Notification Filter objects, see “Configuring Notification Filter 
Objects” on page 48. 


Creating and Configuring SMTP Channel Objects 
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The SMTP channel allows the logging server to e-mail logged events to a mailbox, cell phone, or 
other e-mail enabled device. For more information, see “SMTP” in the Novell Nsure Audit 1.0.2 
Administration Guide. 


To create and configure the SMTP Channel object: 
4 Click the Roles and Tasks button J on the ¡Manager toolbar. 


2 Inthe Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


3 Select the Secure Logging Server object and click OK. 


+ Click the Object History button LEI to see a list of Logging Server objects that have been 
selected during this iManager session. 


or 


+ Click the Object Selector button Wto locate the object in the directory tree. To move up 
or down in the tree, click the navigation arrows. You can also search the tree by entering 
the object name and context in the Search frame. 


In the Server Configuration screen, click Channels. 

Mark the Channels container and click New Channel, then click OK. 

In the New Channel window, select SMTP Channel. 

Enter a name for the SMTP Channel object and click OK. 

In the Channels screen, click the plus icon El to expand the Channels container. 
Select the SMTP Channel object and click Edit Channel. 

10 Configure the SMTP channel attributes. 
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+ Host is the host name or IP address of the SMTP server. 


+ User is the username for the e-mail account the SMTP channel uses to connect to the 
SMTP server. (The username is only required if SMTP Authentication is enabled on the 
SMTP server.) 


+ Password is the password for the e-mail account the SMTP channel uses to connect to 
the SMTP server. 


+ Sender is the name you want to appear in the From: line for all messages sent from this 
SMTP Channel object. 
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+ 


Recipients lists the e-mail addresses to which all events directed through this SMTP 
Channel object are sent. Addresses can be separated with a comma (,), a semi-colon (;), 
or a space. 


Subject is the text you want to appear in the Subject line for all messages sent from this 
SMTP Channel object. The subject line can contain up to 255 characters. 


Message is the text you want to appear in the message body for all messages sent from 
this SMTP Channel object. The message body can be up to 64 KB; however, this is not 
recommended for performance reasons. 


Status allows you to enable or disable the current SMTP Channel object. 


11 When finished, click OK. 


For detailed information on each attribute, see “SMTP Channel Object "in the Novell Nsure Audit 
1.0.2 Administration Guide. 


Configuring Heartbeat Notification Objects 


Heartbeat objects monitor the stream of incoming events for the occurrence of a specific event. If 
the event does not occur within the designated interval, the logging server generates a heartbeat 
event (Event ID 0001001). 


IMPORTANT: Heartbeat events are logged to the central data store; however, if you want to receive 
notification that a specific event has not occurred, you must create a Notification Filter for the corresponding 
heartbeat event. 


To create a Heartbeat Notification object: 


Click the Roles and Tasks button IS] on the ¡Manager toolbar. 


1 
2 
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In the Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


Select the Secure Logging Server object and click OK. 


+ 


Click the Object History button LEI to see a list of Logging Server objects that have been 
selected during this ¡Manager session. 


or 


Click the Object Selector button [SI to locate the object in the directory tree. To move up 
or down in the tree, click the navigation arrows. You can also search the tree by entering 
the object name and context in the Search frame. 


In the Server Configuration screen, click Notifications. 


Mark the Notifications container and click New Notification > OK. 


In the New Notification window, select Heartbeat Notification. 


Enter a name for the Heartbeat Notification object and click OK. 


In the Notifications screen, click the plus icon I+ to expand the Notifications container. 


Select the Heartbeat Notification object and click Edit Channel. 


In the Modify Object screen, configure the Heartbeat Notification attributes. 


+ 


+ 


Description contains a description and any necessary explanation for the Heartbeat 
object. The field limit is 255 characters. 


EventID is the Event ID you want the logging server to monitor. 
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+ Interval is the maximum number of seconds between each event occurrence. If the event 
does not occur within the designated interval, the logging server generates a heartbeat 
event. 


+ The Texti and Text2 fields contain the information that you want to appear in the 
heartbeat event's Textl and Text2 fields. These fields can contain any text string up to 
255 characters. 


+ The Valuel and Value2 fields contain the information that you want to appear in the 
heartbeat event’s Valuel and Value2 fields. These fields can contain any numeric value 
up to 32 bits. 


IMPORTANT: To facilitate filtering of heartbeat events, the Text1, Text2, Value1, and Value2 fields 
should include information that allows you to identify which event triggered the heartbeat event. 


+ The plus icon t+ allows you to add another event line. Each line defines a separate event 
for the logging server to monitor. There is no programmed limit to the number of events 
that can be added to Heartbeat objects. 


+ The Status page allows you to enable or disable the current Heartbeat Notification object. 


11 When finished, click OK. 


For detailed information on each attribute, see “Heartbeat Objects "in the Novell Nsure Audit 1.0.2 
Administration Guide. 


Configuring Notification Filter Objects 
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Notification Filters filter specific events from the stream of incoming events. The filtered events 
are then routed to one or more channel drivers to provide notification. 


To create a Notification Filter object: 
1 Click the Roles and Tasks button |“! on the ¡Manager toolbar. 


2 Inthe Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


3 Select the Secure Logging Server object and click OK. 


+ Click the Object History button LEI to see a list of Logging Server objects that have been 
selected during this iManager session. 


or 


+ Click the Object Selector button Wto locate the object in the directory tree. To move up 
or down in the tree, click the navigation arrows. You can also search the tree by entering 
the object name and context in the Search frame. 


In the Server Configuration screen, click Notifications. 

Mark the Notifications container and click New Notification > OK. 

In the New Notification window, select Notification. 

Enter a name for the Notification object and click OK. 

In the Notifications screen, click the plus icon I+ to expand the Notifications container. 


Select the Notification object and click Edit Channel. 
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In the Modify Object screen, configure the Notification attributes. 
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+ 


Description contains a description and any necessary explanation for the Notification 
object. The field limit is 255 characters. 


The Rule defines the conditions used to filter events. 
To define a rule: 
1) Select the event field on which the logging server filters events. 


2) Select the condition under which the Value is applied to the Event Field. The available 
conditions depend on which event field you select. 


3) Enter the value that is applied to the designated Event Field. 


4) To narrow the filter results, you can use standard “and,” “or,” and “not” operators. 
Using the operators, you can define up to 15 event conditions. The conditions are 
accumulative; that is, the logging server applies the first, then the second, then the third, 
etc., to progressively narrow the results. 


The Notification Channel is the channel to which the notification filter routes the filtered 
events (for example e-mail or a log file). You can select multiple notification channels. 


Click the Browse button Ñ to locate the Channel object in the directory tree. (Go to the 
Logging Services > Channels container.) 


The Status page allows you to enable or disable the current Notification object. 


11 When finished, click OK. 


For detailed information on each attribute, see “Notification Filters” in the Novell Nsure Audit 
1.0.2 Administration Guide. 


Logging eDirectory, NetWare, and File System Events 


Novell Nsure Audit provides the instrumentations necessary to log eDirectory, NetWare, 
traditional file system, and NSS events. 


IMPORTANT: On NetWare, the NetWare and eDirectory instrumentations automatically load each time the 
server restarts. Therefore, you want to be careful in selecting which events are logged. Ubiquitous events such 
as File Open and File Close can quickly consume your data storage space. You must either be selective in 
which events you choose to log, or you must plan accordingly by configuring your database expiration 
commands or your log file’s purge and roll settings. 


To select which NetWare, file system, or eDirectory events you want to log: 


1 
2 
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Click the View Objects button [A on the ¡Manager toolbar. 


In the Object view, locate and select the Secure Logging Server’s associated NCP Server 
object. 


To move up or down in the tree, click the navigation arrows. You can also search the tree by 
entering the object name and context in the Search frame. 


In the Task window, click Modify Object. 

In the Modify Object screen, click Nsure Audit. 

Select an event menu (NetWare, Filesystem, or eDirectory). 
Mark the check box next to the events you want to log. 
Click Apply. 


You must click Apply in each screen to save your changes. 
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8 When finished, click OK. 
When you click OK, the logging server automatically begins logging the marked events. 


For information on individual events, see “NetWare Events”, “File System Events”, or “eDirectory 
Events” in the Novell Nsure Audit 1.0.2 Administration Guide. 


Securing Your iManager Connection 


When you log in to iManager, your connection is automatically forwarded to a secure port. The 
default HTTPS port for iManager is 443. 


For more information on running iManager over an SSL connection, see Configuring and Using 
SSL for LDAP Connections in the ¡Manager Administration Guide. (http://www.novell.com/ 
documentation/lg/imanager 15 1/tmanager/data/adbcvpt.html) 
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Configuring the Logging System 


The base components in the Novell® Nsure™ auditing system are the Platform Agent, the Secure 
Logging Server, and the data store. This section provides the information you need to configure 
and manage these components. 


+ “Configuring the Platform Agent” on page 51 

+ “Disconnected Mode Cache” on page 51 

+ “Logevent” on page 52 
+ “Configuring the Secure Logging Server” on page 54 

+ “Creating the Logging Server Object” on page 54 

+ “Logging Server Objects” on page 55 

+ “Configuring the Logging Server in iManager” on page 57 
+ “Configuring the Data Store” on page 64 


Configuring the Platform Agent 


The Platform A gent, logevent, is the client portion of the Nsure auditing system. It receives 
logging information and system requests from authenticated applications and transmits the 
information to the Secure Logging Server. 


For more information on program binaries, see “Program Files” on page 191. For information on 
how applications authenticate with Nsure Audit, see “Authenticating Logging Applications” on 
page 139. 


There are several advantages to having applications connect to the Platform Agent instead of the 
Secure Logging server: 


+ It is easier for applications to plug into the Nsure Audit system because the complexity and 
overhead of communicating with the logging server is off-loaded to the Platform Agent. 


+ Centralizing the communication load makes the system more efficient. 


+ The Platform Agent and logging applications are on the same computer, giving you secure, 
uninterrupted logging. If the connection between the Platform Agent and the Secure Logging 
Server fails, the Platform Agent simply switches into Disconnected Cache Mode. 


Disconnected Mode Cache 


If the connection between the Platform Agent and the Secure Logging Server fails, applications 
continue to log events to the local Platform Agent, just as they always do. The Platform Agent 
simply switches into Disconnected Cache mode; that is, it begins sending events to the Logging 
Cache module. The Logging Cache module then writes the events to the Disconnected Mode 
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Logevent 


Option 


LogHost=<dns name> 


LogCacheDir=<path> 


LogEnginePort=<port> 


Cache until the connection is restored. The switch into Disconnected Cache Mode is completely 
transparent to the logging applications. 


NOTE: The port at which the Platform Agent connects to the Logging Cache Module is configured in the 
logevent.cfg file. For more information on this parameter, see “Logevent” on page 52. 


The Logging Cache Module maintains a separate cache file for each authenticated application. The 
cache files include the authentication credentials as well as the log events for their respective 
applications. 


When the connection to the Secure Logging Server is restored, the Logging Cache Module 
transmits the cache files to the Secure Logging Server. To protect the integrity of the data store, 
the Secure Logging Server validates the authentication credentials in each cache file before 
logging its events. 


The Platform Agent is not configured through Novell eDirectory™. Instead, the Platform Agent’s 
configuration settings are stored in a simple, text-based configuration file. On NetWare® and 
Windows systems, the configuration file is logevent.cfg. On Linux and Solaris systems, the file is 
logevent.conf. 


Storing the Platform Agent’s configuration in a local text file makes the Platform Agent small, 
unobtrusive, and self-contained—that is, it has no external dependencies, so it is always available 
to receive logged events. Storing the Platform Agent’s configuration in a text based file also allows 
the Platform Agent to eventually run on platforms that do not have eDirectory support. 


The following is a sample logevent.cfg file. 


LogHost=127.0.0.1 
LogCacheDir=c: \logcache 
LogCachePort=288 
iogEnginePort=289 
LogCacheUnload=no 
LogReconnectInterval=600 
LogDebug=never 
LogSigned=always 


The entries in the logevent file are not case sensitive, entries can appear in any order, empty lines 
are legal, and any line that starts with a hash (#) is commented out. 


The following table provides an explanation of each setting in the logevent file. 


NOTE: Some settings might not be available in all versions of Novell Nsure Audit. 


The Platform Agent Configuration tool is launched using the following command: 


Description 


Name or IP address of the Secure Logging Server the Platform 
Agent should use. 


The directory where the Platform Agent should store the 
cached event information if the Primary or Secondary Secure 
Logging Server becomes unavailable. 


Port used by the Secure Logging Server to accept data from 
Platform Agents. 
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Option 
LogCachePort=<port> 
LogCacheUnload=<Y|N> 


LogCacheSecure=<Y|N> 


LogReconnectInterval=<s> 


LogDebug=<Never|Always|Server> 


LogSigned=<Never|Always|Server> 


LogMaxBigData=<bytes> 


LogMaxCacheSize=<bytes> 


LogCacheLimitAction=<stop logging|drop cache> 


Description 
Port used by the Platform Agent caching mechanism. 
Set to N if Icache should not allow unloading 


If the local cache file should be encrypted, this option must be 
set to Y. 


Interval, in seconds, indicating how often the Platform Agent 
and the Platform Agent Cache try to reconnect to the Secure 
Logging Server after the connection was lost. 


Set to Never to never log debug events. Set to Always to 
always log debug events. Leave out or set to Server to use the 
default setting provided by the Secure Logging Server. 


Set to Never to never sign events. Set to Always to always log 
events with signature. Leave out, or set to Server to use the 
default setting provided by the Secure Logging Server. 


Set this value to allow the data field in the event to be larger 
than the default (3072 bytes). This should be set to the 
maximum number of bytes that this client will allow. Larger 
data is truncated, or not sent if the application doesn't allow 
truncated events to be logged. 


Set to the maximum size in bytes that a cache file will hold. 


The action that you want the cache module to take when it has 
reached the maximum cache size limit. Set to 'stop logging’ if 
you want to stop collecting new events. Set to 'drop cache’ if 
you want to delete the cache and start over with any new 
events that are generated. 


Logevent.cfg is stored in the following directories: 


Operating System 
NetWare 
Windows 


Linux\Solaris 


Platform Agent Configuration Tool 


Path 
sys:\etc\logevent.cfg 
windows_directory\logevent.cfg 


/etc/logevent.conf 


The Platform Agent Configuration Tool provides a graphical interface to manage Nsure Audit 
Platform Agents. This tool operates by making changes to the logevent.cfg file, which contains 
configuration settings for the Platform Agent. 


To make configuration changes, you can either open and edit an exisiting logevent.cfg 
configuration file, or create a new logevent.cfg file. When your changes are complete, the updated 
file must be saved in the correct location for your changes to be applied. 


For a description of each available parameter, see “Logevent” on page 52. 
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Running the Platform Agent Configuration Tool 


1 Locate the Platform Agent Configuration tool Java Archive file (.jar). By default it is installed 
in the following location: 


+ Netware: Sys:\system\naudit\paconfig.jar 

+ Linux: /opt/novell/naudit/paconfig jar 

+ Windows: \program files\novell\nsure auditipaconfig.jar 
+ Solaris: /opt/NOVLnaudit/paconfig.jar 


2 Launch the Platform Agent Configuration tool by executing the following command at a 
console, from the folder you located in step 1: 


java -jar nauditpaconfig.jar 


Configuring the Secure Logging Server 


The Secure Logging Server, the server component in the Nsure auditing system, is implemented 
in the shared library, lengine. For more information on program binaries, see “Program Files” on 
page 191. 


The Secure Logging Server manages the flow of information to and from the Nsure auditing 
system. It receives incoming events and requests from the Platform Agents, logs information to 
the data store, monitors designated events, and provides filtering and notification services. It can 
also be configured to automatically reset critical system attributes according to a specified policy. 


The Secure Logging Server is configured through eDirectory. The Logging Server object in 
eDirectory stores all the properties and attributes for the Secure Logging Server. Consequently, the 
server must have access to eDirectory and the Logging Server object before it can launch the 
Secure Logging Server. 


To minimize server reaction time and ensure high system performance, you should create a local 
replica of the Logging Server object and its associated objects on the logging server. 


Creating the Logging Server Object 
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On NetWare, Linux, and Solaris systems, the Logging Server object can be created automatically 
in the Logging Services container during installation or it can be created manually anywhere in the 
tree after installation. Which option you choose depends, to a degree, on your system design. 


NOTE: The Windows installation program automatically creates the Logging Server object in the Logging 
Services container. 


Locating the Logging Server object in the Logging Services container is ideal for organizations 
that need a simple, easy-to-manage logging system. It also suits organizations that are 
implementing Nsure Audit as an auditing solution and, for security reasons, want to centrally 
manage their systems. Using the Configure Logging Server option, these systems are immediately 
operational after install. 


Conversely, to facilitate distributed system administration, Logging Server objects can be created 
and managed outside the Logging Services container. In fact, in distributed environments, Logging 
Servers and their associated objects should be created in a context assigned to their administrator. 
To create Logging Server objects outside of the Logging Services container, you must manually 
create the objects using iManager. 
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For information on creating objects in your respective administrative tool, see Chapter 4, “Nsure 
Audit iManager Plug-in,” on page 39. 


Logging Server Objects 


The Logging Server object represents the physical server where you have installed the Secure 
Logging Server. However, because the Logging Server object is specific to Nsure Audit, it does 
not replace the NCP Server object. Instead, each Logging Server object is associated with a host 
NCP Server object. 


The Logging Server object is represented as a container with server attributes: it can contain Nsure 
Audit objects and it stores all the properties and attributes for the Secure Logging Server. 


The following table provides an explanation of the Logging Server object’s attributes. 


Attribute 
Configuration 


Host Server 


Driver Directory 


Log Channel 


Secure Logging Certificate 
File 


Description 


The distinguished name of the NCP Server object associated with the current logging server. 


Click the Object Selector button to select the Host Server in the tree. 


The directory in which the channel drivers (Igd*) are located. 


The default channel driver directories are as follows: 
+ sys:\system\ (NetWare) 

¢ \program files\novell\nsure audit\ (Windows) 

+ /opt/novell/naudit/ (Linux) 


+ /opt/NOVLnaudit/ (Solaris) 


The Channel object the logging server uses to create the central data store. 


Click the Object Selector button to select the Channel object in the tree. 


The path and filename for the Logging Server Certificate. 


This attribute enables the logging server to use a custom certificate created with the AudCGen 
utility. If this field is left blank, the logging server uses the default embedded certificate. 


IMPORTANT: Nsure Audit only recognizes certificates that are generated with the AudCGen 
utility. For information on generating custom certificates, see “Creating the Secure Logging 
Certificate” on page 142. 


NSure Audit uses certificates to authenticate client connections. The logging server only 
accepts connections from applications that have a valid Logging Application Certificate. 


For general information on how certificates are used in Nsure Audit, see Chapter 11, “Security 
and Non-Repudiation,” on page 139. 
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Attribute 


Secure Logging Privatekey 
File 


Containers 


Application Containers 


Notification Containers 


Channel Containers 


Memory 


Description 


The path and filename for the Secure Logging Certificate’s private key file. 


If this field is left blank, the logging server assumes the private key is included with the 
certificate and uses the path and filename for the Secure Logging Certificate. 


Again, this is only required if you do not use the Nsure Audit program’s embedded certificates. 


IMPORTANT: Nsure Audit only recognizes certificates and private keys that are generated 
with the AudCGen utility. For more information, see “Creating the Secure Logging Certificate” 
on page 142. 


IMPORTANT: The logging server scans these containers only at startup. Therefore, if you add 
a container, you must restart the logging server. For information on restarting the Secure 
Logging Server, see “Secure Logging Server Startup Commands’ on page 182. 


The Application containers supported by the current Logging Server object. 


Application containers provide a reference point through which the logging server can locate 
Application objects. Application containers must be included in this list for the logging server to 
locate their associated Application objects. For more information on Application containers and 
objects, see “Application Objects” on page 30. 


The Application container in Logging Services is added to this list by default. 


The Notification containers supported by the current Logging Server object. 


Notification containers provide a reference point through which the logging server can locate 
Notification Filter and Heartbeat objects. Notification containers must be included in this list for 
the logging server to locate their associated Notification objects. For more information, see 
“Notification Objects” on page 32. 


The Notification container in Logging Services is added to this list by default. 


The Channel containers supported by the current Logging Server object. 


Channel containers provide a reference point through which the logging server can locate 
Channel objects. Channel containers must be included in this list for the logging server to locate 
their associated Channel objects. For more information on Channel containers and objects, see 
“Configuring System Channels” on page 77. 


The Channel container in Logging Services is added to this list by default. 


The memory configuration settings allow you to optimize your logging server’s performance. 
You should adjust these settings based on logging traffic and the amount of memory available 
to your system. Reasonable values depend on your network. 


In organizations that require high-performance logging, these parameters should be set high 
enough to accommodate peak loads. 


For organizations that must minimize potential data loss, these settings should be very small. 
Although this might slow performance, it minimizes the amount of data that might be lost in the 
event of server failure. 


If incoming log events exceed the amount of memory you have allocated on your logging 
server, the Platform Agents temporarily write events to their Disconnected Mode Caches until 
the logging server clears its cache. This prevents any logged events from being lost. 
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Attribute 


Minimum 


Normal 


Maximum 


Status 


Description 


The amount of memory the server automatically allocates at boot time to handle logging 
processes. 


Because allocating additional memory on the fly can slow down code execution, this setting 
should represent the minimum amount of memory needed to handle your system’s baseline 
level of logging traffic. Pre-allocating the minimum amount of memory required by your system 
reduces additional blocking delays when the system is under high load and facilitates faster 
processing of incoming events. 


The amount of memory the server can immediately allocate if logging traffic exceeds the 
Minimum memory setting. 


The maximum amount of memory that can be allocated to logging processes. 


Setting a maximum prevents Nsure Audit from monopolizing the server’s resources. Ideally, this 
should be set close to the Normal memory setting. 


If logging traffic exceeds the Normal memory setting, the server incrementally increases the 
logging cache 4 KB at a time. (4 KB is the amount of memory required to process a single 
event.) When the Maximum memory allocation is reached, the server begins dropping Platform 
Agent connections. If the logging server drops its connection, the Platform Agent simply logs 
events to its Disconnected Mode Cache, thereby ensuring no information is lost. When free 
cache is available, the logging server once again accepts Platform Agent connections. 


This option allows you to enable or disable the Secure Logging Server. By default, the logging 
server is enabled. 


If you mark the Disabled option, you must either restart the server or manually unload the 
Secure Logging Server for this setting to become effective. Thereafter, the server cannot launch 
the Secure Logging Server (lengine) until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 182. 


Configuring the Logging Server in iManager 


The Server Configuration task in iManager allows you to configure a specific Logging Server 
object in the tree. It also allows you to create Channel, Notification, and Application objects in the 
server’s supported containers. 


NOTE: Channel, Notification, and Application containers cannot be created from the Server Configuration 
task. Container objects can be created only from the Object view. For general information on creating objects 
from the Object view, see “Creating Objects in iManager” on page 41. 


To use the Server Configuration task in iManager: 
4 Click the Roles and Tasks button on the iManager toolbar. 


2 Inthe Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


3 Specify the Logging Server object you want to modify, then click OK. 
3a Click the Object Selector button to locate the object in the directory tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


iManager only links valid entries. 
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3b Click the Object History button LEI to see a list of Logging Server objects that have been 


selected during this iManager session. 


4 Modify the Logging Server object’s attributes. 


IMPORTANT: If you modify attributes in multiple tabs, you must click Apply in each screen to save your 


changes. 


5 When finished, click OK. 


The following table outlines the options available from the Server Configuration task: 


Menu Option 
General 
Configuration 


Host Server 


Driver Directory 


Log Channel 


Secure Logging Certificate File 


Description 


The General screen provides three sub-menus: Configuration, Memory, and Status. 


The distinguished name of the NCP Server object associated with the current logging 
server. 


Click the Object Selector button to select the Host Server in the tree. 


The directory in which the channel drivers (Igd*) are located. 
The default channel driver directories are as follows: 

+ sys:\system\ (NetWare) 

¢ \program files\novell\nsure audit\ (Windows) 

¢ /opt/novell/naudit/ (Linux) 

/opt/NOVLnaudit/ (Solaris) 


+ 


The Channel object the logging server uses to create the central data store. 


Click the Object Selector button to select the Channel object in the tree. 


The path and filename for the Logging Server Certificate. 


This attribute enables the logging server to use a custom certificate created with the 
AudCGen utility. If this field is left blank, the logging server uses the default embedded 
certificate. 


IMPORTANT: Nsure Audit only recognizes certificates that are generated with the 
AudCGen utility. For information on generating custom certificates, see “Creating the 
Secure Logging Certificate” on page 142. 


NSure Audit uses certificates to authenticate client connections. The logging server 
accepts connections only from applications that have a valid Logging Application 
Certificate. 


For general information on how certificates are used in Nsure Audit, see Chapter 11, 
“Security and Non-Repudiation,” on page 139. 
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Menu Option Description 


Secure Logging Privatekey File The path and filename for the Secure Logging Certificate’s private key file. 


If this field is left blank, the logging server assumes the private key is included with the 
certificate and uses the path and filename for the Secure Logging Certificate. 


Again, this is only required if you do not use the Nsure Audit program’s embedded 
certificates. 


IMPORTANT: Nsure Audit only recognizes certificates and private keys that are 
generated with the AudCGen utility. For more information, see “Creating the Secure 
Logging Certificate” on page 142. 


Memory The memory configuration settings allow you to optimize your logging server’s 
performance. You should adjust these settings based on logging traffic and the amount 
of memory available to your system. Reasonable values depend on your network. 


In organizations that require high-performance logging, these parameters should be set 
high enough to accommodate peak loads. 


For organizations that must minimize potential data loss, these settings should be very 
small. Although this can slow performance, it minimizes the amount of data that might be 
lost in the event of server failure. 


If incoming log events exceed the amount of memory you have allocated on your logging 
server, the Platform Agents temporarily write events to their Disconnected Mode Caches 
until the logging server clears its cache. This prevents any logged events from being lost. 


Minimum The amount of memory the server automatically allocates at boot time to handle logging 
processes. 


Because allocating additional memory on the fly can slow down code execution, this 
setting should represent the minimum amount of memory needed to handle your 
system’s baseline level of logging traffic. Pre-allocating the minimum amount of memory 
required by your system reduces additional blocking delays when the system is under 
high load and facilitates faster processing of incoming events. 


Normal The amount of memory the server can immediately allocate if logging traffic exceeds the 
Minimum memory setting. 


Maximum The maximum amount of memory that can be allocated to logging processes. 


Setting a maximum prevents Nsure Audit from monopolizing the server’s resources. 
Ideally, this should be set close to the Normal memory setting. 


If logging traffic exceeds the Normal memory setting, the server incrementally increases 
the logging cache 4 KB at a time. (4 KB is the amount of memory required to process a 
single event.) When the Maximum memory allocation is reached, the server begins 
dropping Platform Agent connections. If the logging server drops its connection, the 
Platform Agent simply logs events to its Disconnected Mode Cache, thereby ensuring no 
information is lost. When free cache is available, the logging server once again accepts 
Platform Agent connections. 


Status This option allows you to enable or disable the Secure Logging Server. By default, the 
logging server is enabled. 


If you mark the Disabled option, you must either restart the server or manually unload the 
Secure Logging Server for the setting to become effective. Thereafter, the server cannot 
launch the Secure Logging Server (lengine) until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 
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Menu Option 


Channels 


Add Container 


Remove Container 


New Channel 


Description 


The Channels screen allows you to add or remove the Channel containers supported by 
the current Logging Server object. It also allows you to view, create, modify, and delete 
Channel objects within supported Channel containers. 


IMPORTANT: The logging server scans Channel containers and objects only at startup. 
Therefore, if you add, remove, or modify a Channel container or object, you must restart 
the logging server for the change to take effect. For more information, see “Secure 
Logging Server Startup Commands” on page 182. 


For more information on Channel objects, see Chapter 8, “Configuring System 
Channels,” on page 77. 


Adds an existing Channel container to the logging server's list of supported containers. 
Adding a container means that the logging server scans that container for Channel 
objects at startup. 


The Channel container in Logging Services is added to this list by default. 


Channel containers cannot be created from the Server Configuration task. Container 
objects can only be created from the Object view. For general information on creating 
objects from the Object view, see “Creating Objects in iManager” on page 41. 


To add a Channel container to the logging server’s list of supported Channel containers: 
1. Click Add Container. 
2. Select a Channel container from the tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


Removes the selected Channel container from the logging server's list of supported 
containers. Removing a container means that the logging server no longer scans that 
container for Channel objects at startup. 


Removing a Channel container from the list does not delete the container or any of its 
associated objects. 


To remove a Channel container from the logging server's list of supported Channel 
containers: 


1. Mark the Channel container you want to remove. 


2. Click Remove Container. 


Creates a new Channel object in the selected container. 

1. Mark the Channel container in which you would like to create the Channel object. 
2. Click New Channel, then OK. 

3. Select the Channel object type. 

4. Specify the Channel object name. 

5. Click OK. 


The new Channel object now appears under the designated Channel container. 
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Menu Option 


Edit Channel 


Delete Channel 


Notifications 


Add Container 


Remove Container 


Description 
Allows you to modify the selected Channel object's configuration. 


To define or modify a Channel object’s attributes: 
1. Mark the Channel object you want to modify. 
2. Click Edit Channel. 


3. Modify the object's attributes. You must click Apply in each screen to save your 
changes. 


4. When finished, click OK. 


Deletes the selected Channel object. Deleting a Channel object completely removes the 
object from the system. 

1. Mark the Channel object you want to delete. 

2. Click Delete Channel. 

The Notifications screen allows you to add or remove the Notification containers 


supported by the current Logging Server object. It also allows you to view, create, modify, 
and delete Notification objects within supported Notification containers. 


IMPORTANT: The logging server scans only Notification containers and objects at 
startup. Therefore, if you add, remove, or modify a Notification container or object, you 
must restart the logging server for the change to take effect. For more information, see 
“Secure Logging Server Startup Commands’ on page 182. 


For more information on Notification objects, see Chapter 9, “Configuring Filters and 
Event Notifications,” on page 99. 


Adds an existing Notification container to the logging server's list of supported 
containers. Adding a container means that the logging server scans that container for 
Notification objects at startup. 


The Notification container in Logging Services is added to this list by default. 


Notification containers cannot be created from the Server Configuration task. Container 
objects can only be created from the Object view. For general information on creating 
objects from the Object view, see “Creating Objects in iManager” on page 41. 


To add a Notification container to the logging server's list of supported Notification 
containers: 


1. Click Add Container. 


2. Select a Notification container from the tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


Removes the selected Notification container from the logging server's list of supported 
containers. Removing a container means that the logging server no longer scans that 
container for Notification objects at startup. 


Removing a Notification container from the list does not delete the container or any of its 
associated objects. 


To remove an Application container from the logging server’s list of supported Application 
containers: 


1. Mark the Application container you want to remove. 


2. Click Remove Container. 
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Menu Option Description 


New Notification Creates a new Notification object in the selected container. 


1. Mark the Notification container in which you would like to create the Notification 
object. 


2. Click New Notification, then click OK. 

3. Specify the Notification object name. 

4. Select Notification or Heartbeat Notification. 
5. Click OK. 


The new Notification object now appears under the designated Notification container. 


For more information on Notification objects, see Chapter 9, “Configuring Filters and 
Event Notifications,” on page 99. 


Edit Notification Allows you to modify the selected Notification object's configuration. 


To define or modify a Notification object’s attributes: 
1. Mark the Notification object. 
2. Click Edit Notification. 


3. Modify the object's attributes. You must click Apply in each screen to save your 
changes. 


4. When finished, click OK. 


For detailed information on Notification object attributes, see “Notification Filters” on 
page 100 and “Heartbeat Objects” on page 102. 


Delete Notification Deletes the selected Notification object. Deleting a Notification object completely 
removes the object from the system. 
1. Mark the Notification object you want to delete. 
2. Click Delete Notification. 

Log Applications The Log Applications screen allows you to add or remove the Application containers 


supported by the current Logging Server object. It also allows you to view, create, modify, 
and delete Application objects within supported Application containers. 


IMPORTANT: The logging server scans application containers and objects only at 
startup. Therefore, if you add, remove, or modify an Application container or object, you 
must restart the logging server for the change to take effect. For more information, see 
“Secure Logging Server Startup Commands’ on page 182. 


For more information on Application objects, see Chapter 7, “Managing Applications that 
Log to Nsure Audit,” on page 73. 
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Menu Option Description 


Add Container Adds an existing Application container to the logging server's list of supported containers. 
Adding a container means that the logging server scans that container for Application 
objects at startup. 


The Application container in Logging Services is added to this list by default. 


Application containers cannot be created from the Server Configuration task. Container 
objects can only be created from the Object view. For general information on creating 
objects from the Object view, see “Creating Objects in ¡Manager” on page 41. 


To add an Application container to the logging server's list of supported Application 
containers: 


1. Click Add Container. 


2. Select an Application container from the tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


Remove Container Removes the selected Application container from the logging server's list of supported 
containers. Removing a container means that the logging server no longer scans that 
container for Application objects at startup. 


Removing an Application container from the list does not delete the container or any of 
its associated objects. 


To remove an Application container from the logging server's list of supported Application 
containers: 


1. Mark the Application container you want to remove. 


2. Click Remove Container. 


New Log Application Creates a new Application object in the selected container. 


Application objects are automatically created when Nsure Audit-enabled applications are 
installed into your tree; however, if necessary, Application objects can also be manually 
added to the tree. 


1. Mark the Application container in which you would like to create the Application object. 
2. Click New Log Application, then click OK. 
3. Specify the Application object name and click OK. 


The new Application object now appears under the designated Application container. 


Edit Log Application Allows you to modify the selected Application object's configuration. 
To define or modify an Application object's attributes: 
1. Mark the Application object. 
2. Click Edit Log Application. 


3. Modify the object's attributes. You must click Apply in each screen to save your 
changes. 


4. When finished, click OK. 


For information on the Application object's attributes, see “Application Objects” on 
page 74. 
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Menu Option 


Delete Log Application 


Description 


Deletes the selected Application object. Deleting an Application object completely 
removes the object from the system. 


1. Mark the Application object you want to delete. 


2. Click Delete Log Application. 


Configuring the Data Store 


Nsure Audit is able to write the data store to the following storage devices: 
+ File Data Store 
+ MySQL Data Store 
+ Oracle Data Store 


+ Syslog Data Store 


Before selecting a storage device for your data store, you need to consider your system’s logging 
traffic. On the high end, the File driver can process over 60,000 events per second on a P4 Xeon 
class server. Databases, on the other hand, are, much slower. The MySQL driver can handle about 
3,000 events per second on a P4 Xeon class server. 


Novell Nsure Audit is designed to handle occasional peaks that exceed a given database’s 
limitations; however, if you expect to consistently exceed the database driver’s capacity, you must 
plan your setup accordingly, either by using multiple Secure Logging Servers or by using the file 
driver. 


IMPORTANT: In planning your system setup, you should perform your own throughput test in your 
environment and not rely solely on the numbers provided in this document. 


To configure the Nsure Audit data store, you must first create a Channel object. Each Channel 
object defines the parameters associated with its corresponding storage device. For example, 
MySQL Channel objects include the IP address or host name of the MySQL database server, a 
username and password for connecting with the server, the database and table names, and fields 
for SQL table create and expiration commands. For more information on creating and configuring 
Channel objects, see Chapter 8, “Configuring System Channels,” on page 77. 


After creating the Channel object, you must configure the logging server to log events to that 
channel. The Log Driver property in the Logging Server object determines which Channel object 
the server uses to create the data store. For more information on the Log Driver property, see 
“Logging Server Objects” on page 55. 


After the Channel and Logging Server objects are configured, you must restart the logging server 
to load the Channel object configuration and the channel driver. In most cases, the channel driver 
automatically creates the necessary file or database table for the data store. 


IMPORTANT: Novell Nsure Audit does not secure the data store. Therefore, you must manage data store 
security at the database, for MySQL and Oracle data stores, or through the file system, in the for file data 
stores. 


The data store structure for each storage device is discussed in the following sections. 
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File Data Store 


Depending on the File Channel object configuration, the File channel driver (lgdfile) can log 
events in raw format or it can translate the event data into a human-readable log. All file data stores 
are named “log.” 


Raw files simply contain the event data; consequently, they are not in a human-readable format. 
However, because they maintain a consistent field structure across events, they can be imported 
into spreadsheet programs like Microsoft Excel. 


The following is a sample from a raw log file: 


16777343,1051924636,1051924647, eDirInst\Object, 721699,7,0, .OntarioTestData.Channels.Logging 
Services,,0,0,0,L1NhdHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051924636,1051924647, eDirInst\Object, 721690,7,0, .eDirectoryInstrumentation.Applicat 
ions.Logging Services,,0,0,0,LI1NhdHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051926065, 1051926065, eDirInst\Object, 720897,7,0,.BillBob.SIM,,0,0,1, LmFkbWluL1INJTQ= 


Translated log files, on the other hand, can be visually scanned for content; however, it is difficult 
to generate reports from these files because there is no consistent field structure—they contain 
only the event descriptions. 


The following is a sample from a translated log file: 


[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A read operation was performed on object 


. Ontario 


TestData.Channels.Logging Services by .Saturn Logging Server.Logging Services 


[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A list Subordinate Entires operation has 
been performed on container .eDirectory Instrumentation.Applications.Logging Services by 
-Saturn Logging Server.Logging Services 


[Sat, 03 May 2003 


01:39:41 +0000] eDirInst\Object: A new eDirectory object called .BillBob.SIM 


(Class:User) was created by .admin.SIM 


In addition to providing different log formats, the File channel is capable of creating localized logs. 
If the logging applications have localized Log Schema (LSC) files, the File channel can write 
translated log files in the language designated in the File Channel object. 


Nsure Audit includes a utility, called LETrans, that can translate raw log files into human readable 
format. See “LETrans” on page 189. 


NOTE: LSC files catalog the events that can be logged for a given application. They can also indicate what 
kind of data is stored in the event fields and provide descriptive information on the event itself. For more 
information, see “Log Schema Files” on page 161. 


For more information on the File channel, see “File” on page 81. 


MySQL Data Store 


When the logging server loads the MySQL Channel object configuration, the MySQL channel 
driver, lgdmsql, automatically creates the data store’s database and table using the names defined 
in the MySQL Channel object. 


The MySQL channel driver builds the data store using the following table structure: 
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Field Type Null Key Default Extra 
SourcelP int(11) [YES | 
9 ClientTimestamp lint(11] YES [MUL 
ClientMS int(11) YES 
ServerT imestamp | int(11) YES 
SessionID int(11) YES 
Component warchar[255] YES | 
|$ EventID int(11) YES MUL 
Severity int(11) YES 
Grouping int(11) [YES 
Driginator warchar(255) YES 
DriginatorType — [int(11) YES 
Target warchar(255) YES | 
TargetT ype int(11) YES 
SubT arget varchar[255] YES 
Textl | varchar[255] YES 
Text2 varchar[255) YES 
Text3 warchar(255) YES 
Valuel int(11) YES | 
Value2 int(11) YES 
Value] int(11) YES | 
MIMEType int(11) YES 
DataSize int(11) YES 
Data mediumblob [YES 
Signature warchar(255) YES 
The default number of rows depends on the operating system. The default maximum size for a 
MySQL table is 4 GB (or 2 GB if your operating system only supports 2 GB tables). This default 


size limitation keeps pointer sizes down, making the index smaller and faster. 


IMPORTANT: If the SQL server data volume runs out of disk space, any clients logging events will freeze and 
need to be restarted. 


NOTE: If you need larger tables, use the max_rows and avg_row_length commands in the MySQL Channel 
object's Create Table Options property 


For more detailed information on using MySQL with Nsure Audit, see Appendix B, “Using 
MySQL with Nsure Audit,” on page 165. 


For more information on the MySQL channel, see “MySQL” on page 85. 


Oracle Data Store 


66 


The Oracle channel drive, lgdora, creates the table for the Oracle data store automatically. In most 
circumstances, you do not need to create the data store table. 


If a situation arises requiring you to create this table manually, you can create the data store using 
the following table structure: 
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Datatype Nulls? 
SOURCEIP NUMBER 0 
CLIENTTIMESTAMP NUMBER 0 | 
CLIENTMS NUMBER 0 | 
SERVERTIMESTAMP NUMBER 0 | 
SESSIONID NUMBER 0 | 
COMPONENT VARCHAR2 255 | 
EVENTID [NUMBER 0 
SEVERITY NUMBER 0 | 
GROUPING [NUMBER 0 
ORIGINATOR VARCHAR2 255 v | 
ORIGINATORTYPE NUMBER 0 
TARGET VARCHAR? 255 Y 
TARGETTYPE NUMBER 0 | 
SUBTARGET VARCHAR2 255 v | 
TEXTI VARCHAR2 255 wv | 
TEXT2 VARCHAR2 255 v | 
TEXT3 VARCHAR? 255 v | 
VALUE1 NUMBER 0 | 
VALUE? NUMBER 0 
VALUE3 NUMBER 0 
MIMETYPE NUMBER 0 | 
DATASIZE NUMBER 0 
DATA LONG RAW v | 
SIGNATURE VARCHAR2 255 Y 


+ 


For more information on the Oracle channel, see “Oracle” on page 88. 


IMPORTANT: Because Oracle no longer supports NetWare, Oracle data stores can be created only on 


Windows, Solaris, and Linux systems. 


Syslog Data Store 


The Syslog channel driver, lgdsyslog, allows the logging server to log events to a specific syslog 


facility on any syslog host. 


Itis also capable of creating localized logs. Ifthe logging applications have localized Log Schema 
(LSC) files, the Syslog channel can write the log files in the language designated in the Syslog 
Channel object. 


For more information on the Syslog channel, see “Syslog” on page 94. 


Microsoft SQL Server Data Store 


The Microsoft SQL Server channel driver, lgdmssq]l, creates the table for the SQL Server data store 
automatically. In most circumstances, you do not need to create the data store table. 


If a situation arises requiring you to create this table manually, you can create the data store using 
the following table structure: 
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Column Name Length | Allow Nulls 
SourcelP int 
ClientTimeStamp int 


4 
4 
Clients int 4 
4 
4 


Data Type 


ServerTimestamp int 

SessionID int 

Component varchar 255 
EventID int 

Severity int 4 
Grouping int 4 
Originator varchar 255 
OriginatorType int 4 
Target varchar 255 
TargetType int 4 
SubTarget varchar 255 
Text1 varchar 255 
Text2 varchar 255 
Text3 varchar 255 
Value int 4 
Value2 int 4 
Value3 int 4 
MIMEType int 4 
DataSize int 4 
Data image 16 
Signature varchar 255 


LHe eae < 
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Logging eDirectory, NetWare, and File System 
Events 


Novell® Nsure™ Audit provides the instrumentations necessary to log Novell eDirectory™, 
NetWare®, traditional file system, and NSS events. This section provides the information you need 
to determine which events you should log to protect your corporate assets and how to log those 
events. 


+ “Instrumentation Files” on page 69 
+ “Logging Events” on page 70 

+ “NetWare Events” on page 71 

+ “File System Events” on page 71 


¢ “eDirectory Events” on page 71 


Instrumentation Files 


The NetWare and eDirectory Instrumentations for Novell Nsure Audit (auditNW and auditDS, 
respectively) allow Nsure Audit to log NetWare, eDirectory, and file system events. 


To enable NetWare and file system logging, auditNW must be loaded on every NetWare server on 
which you want to log NetWare and file system events. To avoid receiving duplicate entries for 
eDirectory events, enable the do not sent replicated events option. To enable this, open the Nsure 
Audit tab of your NCP Server object and check the "Do not send replicated events" checkbox. To 
log non-replicated events (such as logins), it must be installed on each individual server for which 
you want to log non-replicated events. 


Additionally, the Platform Agent must be installed on every server on which you want to log 
NetWare, file system, and eDirectory events. AuditNW and auditDS automatically load the 
Platform A gent (logevent) to send events to the Secure Logging Server. 


On NetWare, auditN W and auditDS are automatically loaded each time the server restarts. On 
Windows, Linux, and Solaris systems, you must manually load auditDS or add auditDS to the 
server startup scripts to begin logging eDirectory events. For information on starting the NetWare 
and eDirectory Instrumentations, see “NetWare and eDirectory Instrumentation Startup 
Commands” on page 183 


Supported Platforms 


The eDirectory Instrumentation can log events from the following versions of the Directory: 
+ NDS? 6.x 
+ NDS 7.x 
+ NDS 8.x 
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¢ eDirectory 8.6 (NetWare, Windows, Linux, and Solaris) 
¢ eDirectory 8.7 (NetWare, Windows, Linux, and Solaris) 


The NetWare Instrumentation can log NetWare and file system events from the following 
platforms: 


+ NetWare 4.2 SP9 
+ NetWare 5.1 SP6 
+ NetWare 6.0 SP3 
+ NetWare 6.5 


Logging Events 


During installation, Nsure Audit extends the definition of the NCP Server object to include log 
settings for eDirectory, NetWare, and file system events. These settings are found under the Nsure 
Audit option in the NCP Server object. 
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The Nsure Audit screen has four different menus: Server, NetWare, Filesystem, and eDirectory. 
The Server menu identifies the Logging Server object associated with the current NCP Server 
object. This menu is for informational purposes only and cannot be modified. The NetWare, 
Filesystem, and eDirectory menus list the events that fall in their respective categories. 


To select which NetWare, File system, or eDirectory events you want to log: 
1 Click Nsure Audit in the NCP Server object. 


2 Select an event menu (NetWare, Filesystem, or eDirectory). 
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3 Mark the check box next to the events you want to log. 
4 Click Apply. 

IMPORTANT: You must click Apply in each screen to save your changes. 
5 When finished, click OK. 


When you click Apply, the logging server automatically begins logging the marked events. 


NOTE: You do not need to restart the logging server to effect changes to Nsure Audit attributes in the NCP 
Server object. 


NetWare Events 


NetWare events are server-specific settings; that is, they must be enabled on each NCP Server 
object in the tree. The NetWare Instrumentation can log NetWare and file system events from 
NetWare 4.2 systems and higher. 


The NetWare Events (http://www.novell.com/documentation/lg/nsureaudit/html/ 
netware_events.htm) link opens a table that lists the File System events that can be logged to 
Novell Nsure Audit. 


NOTE: You do not need to restart the logging server to activate your changes in the NetWare menu. 


File System Events 


File System events are server-specific settings; that is, they must be enabled on each NCP Server 
object in the tree. The NetWare Instrumentation logs all traditional and NSS file system activity 
for the selected events. 


NOTE: If you want to filter events on a volume or directory level, you can create Notification filters that select 
events based on the volume or directory listed in the Text2 field. 


The File System Events (http://www.novell.com/documentation/lg/nsureaudit/html/ 
filesystem_events.htm) link opens a table that lists the File System events that can be logged to 
Novell Nsure Audit: 


NOTE: You do not need to restart the logging server to activate your changes in the Filesystem menu. 


eDirectory Events 


eDirectory events are partition-specific; that is, they only need to be enabled on one NCP Server 
object per partition. The eDirectory Instrumentation can log events from NDS version 6 or 7 and 
eDirectory 8.5 or higher. 


The eDirectory Events (http://www.novell.com/documentation/lg/nsureaudit/html/ 
edirectory_events.htm) link opens a table that lists the eDirectory events that can be logged to 
Novell Nsure Audit: 


NOTE: You do not need to restart the logging server to activate your changes in the eDirectory menu. 


eDirectory events describing attribute changes store the new attribute values in the event’s data 
field. 


In the case of a few critical events, eDirectory cannot complete the transaction until the 
corresponding event is sent to the Secure Logging Server. This ensures that the transaction is 
logged to the data store. (These events are noted in the event table.) 
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eDirectory events such as login and logout are ubiquitous and can quickly fill your data store. 
Therefore, you should monitor your system’s event traffic and configure your data store’s 
expiration or roll policies accordingly. For information on the MySQL channel’s expiration 
properties, see “MySQL Channel Object” on page 86. For information on configuring the File 
channel to purge or roll its log files, see “File Channel Object” on page 82. 
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Overview 


Managing Applications that Log to Nsure Audit 


Novell® Nsure™ Audit is a comprehensive auditing system that is capable of logging events from 
multiple, multi-vendor applications. This section provides the information you need to manage 
your system’s logging applications. 


+ “Overview” on page 73 
+ “Creating Application Objects” on page 73 
+ “Application Objects” on page 74 


Applications that log to or request information from Nsure Audit are represented in Novell 
eDirectory™ by an Application object. Application objects store the information the logging server 
needs to authenticate logging applications. 


NOTE: For more information on the authentication process, see “Authenticating Logging Applications” on 
page 139. . 


In addition to facilitating system authentication and monitoring, Application objects store the 
application’s log schema. The log schema catalogs the events that can be logged for a given 
application. For more information, see “Log Schema Files” on page 161. 


Creating Application Objects 


Typically, Application objects are automatically created in the Application container under 
Logging Services when their associated logging application is installed. 


For example, during installation, Novell Nsure Audit automatically creates Application objects for 
itself (the Naudit Instrumentation), the eDirectory Instrumentation, and the NetWare® 
Instrumentation. Novell Nsure Audit creates these objects in the Application container under 
Logging Services. 


NOTE: The Naudit Instrumentation allows Nsure Audit to audit its own events, such as creating Channel or 
Notification objects. The eDirectory Instrumentation manages logging of eDirectory events, and the NetWare 
Instrumentation (NetWare only) provides logging for NetWare and file system events. For more information on 
the eDirectory and NetWare instrumentations, see Chapter 6, “Logging eDirectory, NetWare, and File System 
Events,” on page 69. 


If necessary, you can also create Application objects using iManager. If you manually create the 
Application object, you must have the product’s Application Identifier and the Application ID. 
Although these should be available in the product’s documentation, they are also included in the 
product’s Log Schema file. For more information on the Application Identifier and Application ID 
attributes, see “Application Objects” on page 74. For information on using iManager, see Chapter 
4, “Nsure Audit iManager Plug-in,” on page 39. 
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You must also create the Application object in an Application container. The Application container 
under Logging Services is automatically created during installation; however, additional 
Application containers can be created anywhere in the tree. 


Creating Application objects in the central Application container under Logging Services is ideal 
for organizations that need a simple, easy-to-manage logging system. It also suits organizations 
that are implementing Nsure Audit as an auditing solution and, for security reasons, want to 
centrally manage their system. 


If you want to distribute logging system administration, however, Application objects can be 
created anywhere in the tree. For example, if administration is divided by logging server, you can 
create an Application container under each Logging Server object. On the other hand, if 
administration is divided by application (for example, one person manages logging for iChain®, 
another DirxML® lo gging, etc.), the Application container can be created in any context assigned 
to its administrator. 


If you create an Application container elsewhere in the tree, you must add that container to the 
logging server’s list of supported containers. At startup, the logging server scans its list of 
supported Application containers and loads the included Application object configurations in 
memory so it can authenticate applications. If an Application object is not in one of the logging 
server’s supported Application containers, it cannot be used to authenticate logging applications. 
For more information on the logging server’s Application Container property, see “Logging Server 
Objects” on page 55. 


IMPORTANT: The logging server loads the Application object configurations at startup only. Therefore, if you 
create a new Application container or Application object, you must first ensure that the Application container 
is included in the logging server’s Application Container list and then restart the logging server. For information 
on restarting the logging server, see “Secure Logging Server Startup Commands” on page 182. 


Application Objects 


Attribute 


Application Identifier 


Application objects store the information required by the logging server to authenticate logging 
applications. They also identify which users have rights to monitor the application’s events and 
they store the application’s log schema. 


The following table provides a description of each Application object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Application object configuration. 
For more information, see “Secure Logging Server Startup Commands” on page 182. 


Description 


The name the logging application uses to identify itself to the logging server. 


The Application Identifier is also stored in the application’s certificate. For information on how 
the Application Identifier is used in the authentication process, see “Authenticating Logging 
Applications” on page 139. 


The Application Identifier is part of the Component string for every event logged from the 
current application. For more information, see “Event Structure” on page 155. 


This field is automatically populated when the Application object is created during install. If you 
manually create the Application object, you can find the Application Identifier in the application’s 
Log Schema file. For more information, see “Log Schema Files” on page 161. 
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Attribute 


Application ID 


Access Control 


Status 


Description 
The four-digit hex value assigned to the current application. 


All Application IDs are assigned through Novell Developer Support and are maintained in the 
Novell Nsure Audit central registry. 


The Application ID is also part of the Event ID for every event logged from the current 
application. For more information, see “Event Structure” on page 155. 


This field is automatically populated when the Application object is created during install. If you 
manually create the Application object, you can find the Application ID in the application’s Log 
Schema file. For more information, see “Log Schema Files” on page 161 


NOTE: The logging server uses the Application ID to manage Access Control. The users 
designated in the Access Control field can monitor all events containing this Application ID. 


The users who have rights to monitor the current application’s events. This is for future 
iterations of the product. 


This option allows you to enable or disable the Application object. By default, all Application 
objects are enabled. This means that the logging server loads the Application object's 
configuration in memory at startup. 


IMPORTANT: The Application object must be located in a supported Application container for 
the logging server to use it. For more information on the logging server's Application Container 
property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 182. 
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Configuring System Channels 


Novell® Nsure™ Audit uses channels to provide event notification and log events. This section 
provides the information you need to configure your system channels. 


+ “Overview” on page 77 
+ “Creating Channel Objects” on page 77 
+ “Supported Channels” on page 78 

+ “CVR” on page 79 

+ “File” on page 81 

+ “Java” on page 84 

+ “MySQL” on page 85 

+ “Oracle” on page 88 

+ “SMTP” on page 90 

+ “SNMP” on page 92 

+ “Syslog” on page 94 

+ “JDBC” on page 96 

+ “Microsoft SQL Server” on page 97 


Overview 


Channel drivers enable Novell Nsure Audit to log system events and provide event notification. 
Channel drivers, in turn, are configured and managed through Channel objects in Novell 
eDirectory™. 


Channel objects store the information the logging server needs to use a certain channel. For 
example, MySQL Channel objects include the IP address or host name of the MySQL database 
server, a username and password to connect to the server, the database and table names, and other 
relevant information. SMTP Channel objects, on the other hand, include the IP address or host 
name of the SMTP server, a username and password, and message information (the message 
recipients, sender, subject, and body). 


Creating Channel Objects 


Novell Nsure Audit is designed so you can create multiple Channel objects for any given channel 
driver. This means you can create different channel configurations for different functions or 
events. For instance, you can configure the Logging Server to use one MySQL Channel object to 
add events to the central data store and configure a Notification Filter to use another MySQL 
Channel object to create a filtered log. 
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You can create Channel objects using iManager. For information on using iManager, see Chapter 
4, “Nsure Audit iManager Plug-in,” on page 39. 


You must create Channel objects in Channel containers. The Channel container under Logging 
Services is automatically created during installation; however, additional Channel containers can 
be created anywhere in the tree. 


Creating Channel objects in the central Channel container under Logging Services is ideal for 
organizations that need a simple, easy-to-manage logging system. It also suits organizations that 
are implementing Novell Nsure Audit as an auditing solution and, for security reasons, want to 
centrally manage their system. 


If you want to distribute logging system administration, however, Channel objects can be created 
anywhere in the tree. For example, if administration is divided by logging server, you can create a 
Channel container under each Logging Server object. On the other hand, if administration is 
divided by application (for example, one person manages logging for iChain®, another DirxML® 
logging, etc.), the Channel container can be created in any context assigned to its administrator. 


If you create a Channel container elsewhere in the tree, you must add that container to the logging 
server’s list of supported containers. At startup, the logging server scans its list of supported 
Channel containers and loads the included Channel object configurations and their associated 
drivers in memory so it can provide event notification and log events. If a Channel object is not in 
one of the logging server’s supported Channel containers, it cannot be used to provide event 
notification or log events. For more information on the logging server’s Channel Container 
property, see “Logging Server Objects” on page 55. 

IMPORTANT: The logging server loads the Channel object configurations only at startup. Therefore, if you 
create a new Channel container or Channel object, you must first ensure the Channel container is included in 


the logging server’s Channel Container list and then restart the logging server. For information on restarting 
the logging server, see “Secure Logging Server Startup Commands” on page 182. 


Supported Channels 


78 


The NetWare® 6.5 product license authorizes you to use the Nsure Audit program’s SMTP, File, 
and MySQL channels. If you configure and enable the CVR, Java, Oracle, SNMP or Syslog 
channels, Novell Nsure Audit broadcasts licensing notices every 10 minutes to all your configured 
channels. (You do not receive notices for an unlicensed channel that is configured, but disabled.) 
The licensing notice indicates that you should acquire a license when you are done evaluating the 
additional channels. 


By default, Novell Nsure Audit supports ten channels: 


CVR Oracle 
File SMTP 
Java SNMP 
MySQL Syslog 
JDBC Microsoft SQL Server 


Additional channels can be easily incorporated in this model. For more information, see the Novell 
Nsure Audit SDK. 


The directory in which the channel drivers (lgd*) are located is defined on the Logging Server 
object; however, the default channel driver directories are as follows: 
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CVR 


Operating System Directory 


NetWare sys:\system\ 

Windows \program files\novell\nsure audit\ 
Linux /opt/novell/naudit/ 

Solaris /opt/NOVLnaudit/ 


The following sections provide detailed information on each channel. 


IMPORTANT: The CVR channel resets only eDirectory attributes. 


The Critical Value Reset (CVR) channel allows you to flag an attribute in eDirectory with a reset 
policy. If the value of that specific attribute is changed, the CVR channel resets the value as per 
the policy defined in the CVR Channel object. 


The CVR channel can be used to maintain critical system settings or enforce organizational 
policies. For example, if your organization has a policy prohibiting security equivalence, you can 
create a CVR Channel object that automatically resets the Security Equals attribute to a null value. 


It can also be used to provide an added measure of system security. In the event of a security 
breach, the CVR channel can be configured to maintain your critical system settings. 


The CVR channel must be used in conjunction with a notification filter. To optimize event 
processing, the notification filter should be configured to filter only those events that the CVR 
channel can act on. For information on configuring Notification Filters, see Chapter 9, 
“Configuring Filters and Event Notifications,” on page 99. 


CVR Channel Driver 


The CVR driver is lgdcvr. 


When the CVR channel driver receives an event, it looks at the event’s Text2 field to determine if 
the logged attribute matches the attribute defined in the CVR object. If the CVR driver does not 
find a matching attribute in the event’s Text2 field, it then looks in the Text] field. 


If the contents of the Text2 or Textl field match the attribute defined in the CVR object, the driver 
looks in the remaining Text field to find the object to which the attribute belongs. It then locates 
the object in eDirectory and applies the Reset Value defined in the CVR object. 


NOTE: All eDirectory events store the event's attribute in the subTarget field and the object in the Target field. 


The reset process is very fast. Typically, an attribute is reset the instant it is saved. In fact, in 
iManager, it simply appears that the change cannot be saved. 


CVR Channel Object 


The CVR Channel object stores the policy and attribute information the CVR driver needs to reset 
a given value. 


The following table provides a description of each Channel object attribute. 
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Attribute 
Configuration 


User 


Password 


Type 


Attribute 


Reset Value 


Operators +- 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182. 


Description 
Configuration information for the CVR Channel object. 
The User object with rights to the CVR Channel object. 


IMPORTANT: The User object must have directory rights to the attribute that the CVR Channel 
object is configured to reset. 


The user account password. 


The type of data the CVR channel can expect as a Reset Value for the attribute designated in 
the Attribute field. The data type must match the Attribute Syntax defined in the directory 
schema. 


Currently, the only supported types are Distinguished Name and String. The Distinguished 
Name type supports only Distinguished Name syntax. The String type, on the other hand, 
supports multiple Attribute Syntax options. They include: 


+ String 

+ Class Name 

+ Case Exact String 
+ Case Ignore String 
+ Numeric String 

+ Postal Address 

+ Printable String 


+ Telephone Number 


NOTE: The Attribute Syntax for a given attribute can be viewed in the eDirectory schema using 
a directory editing tool such as NDSO Snoop, ConsoleOne®, or iManager. 


The name of the attribute the CVR driver resets. You must enter the attribute name exactly as 
it appears in the eDirectory schema. 


NOTE: You can view the eDirectory schema using a directory editing tool such as NDS Snoop, 
ConsoleOne, or iManager. 


The CVR driver scans events’ Target and Subtarget fields for matching attributes. When it finds 
a match, the CVR driver applies the reset policy. For more information on this process, see 
“CVR Channel Driver” on page 79. 


The value the CVR Channel driver maintains for a given attribute. 


IMPORTANT: The CVR Channel driver does not validate the reset value syntax. Therefore, 
you must ensure the reset value follows the required attribute syntax. For example, if the 
Attribute Syntax is Telephone Number, the reset value must be a telephone number. 


Click the plus sign (+) to add a new line. Click the minus sign (-) to remove a line. 


Each line defines a separate reset policy. The policies are not accumulative; the CVR driver 
applies each policy independently. 


There is no programmed limit to the number of policies that can be added to a CVR object. 
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Attribute 


Status 


File 


Description 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


IMPORTANT: The Channel object must be located in a supported Channel container for the 
logging server to use it. For more information on the logging server’s Channel Container 
property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 182. 


The File channel allows the logging server to log events directly to file in raw format or to translate 
those events to a human-readable log file. 


The default option is to translate the log files. Raw log files can be translated at a later time using 
the letrans utility. 


Raw files simply contain the event data; consequently, they are not in a human-readable format. 
However, because these comma-delimited files maintain a consistent field structure across events, 
you can import these files into spreadsheet programs like Microsoft* Excel. 


The following is a sample from a raw log file: 


16777343,1051924636,1051924647, eDirInst\Object, 721699,7,0, .OntarioTestData.Channels.Logging 
Services,,0,0,0,L1NhdaHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051924636,1051924647, eDirInst\Object, 721690,7,0, .eDirectoryInstrumentation.Applicat 
ions.Logging Services,,0,0,0,LI1NhdHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051926065, 1051926065, eDirInst\Object, 720897,7,0, .BillBob.SIM,,0,0,1, LmFkbWluLINJTQ= 


Translated log files, on the other hand, can be visually scanned for content; however, it is difficult 
generate reports from these files because there is no consistent field structure—they contain only 
the event descriptions. 


The following is a sample from a translated log file: 


[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A read operation was performed on object 


. Ontario 
[Sat, 03 


TestData.Channels.Logging Services by .Saturn Logging Server.Logging Services 
May 2003 01:25:10 +0000] eDirInst\Object: A list Subordinate Entires operation has 


been performed on container .eDirectory Instrumentation.Applications.Logging Services by 


«Saturn Logging Server.Logging Services 
[Sat, 03 May 2003 01:39:41 +0000] eDirInst\Object: A new eDirectory object called .BillBob.SIM 


(Class:User) 


was created by .admin.SIM 


In addition to providing different log formats, the File channel is capable of creating localized logs. 
If the logging applications have localized log schema files and if those files are added to their 
respective Application objects, the File channel can write translated log files in the language 
designated in the File Channel object. 


Nsure Audit includes a utility, called LETrans, that can translate raw log files into human readable 
format. See “LETrans” on page 189. 
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NOTE: The Log Schema catalogs the events that can be logged for a given application. It can also provide 
event descriptions and labels for the event fields. For more information, see “Log Schema Files” on page 161. 


The logging server can use the File channel to write the central data store or create filtered log files. 


File Channel Driver 


At startup, the File channel driver, lgdfile, loads each application’s log schema. If a logging 
application has multiple language versions of its log schema, the File channel loads the schema for 
the language designated in the File Channel object. 


Novell Nsure Audit stores log schema files as attributes in their respective Application objects. For 
further information, see “Log Schema Files” on page 161. 


If the File and Syslog Channel objects reference the same language, the drivers independently load 
the log schema in their own memory. The only time the log schema is shared is between multiple 
instances of the same driver. For example, if you have two File channels configured to write 
translated log files in English, the English log schema for each application is loaded only once. 


When the File channel driver creates a raw log file, it simply writes the events “as is” to the data 
store. 


When it creates a translated log file, the File driver uses the Event ID to look up each event in the 
corresponding application’s log schema and then it writes the event description to the data store. 
If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, the File 
channel defaults to the following format: 


SDC $TC,$SO,$NI,$NL, $NG, $N1,$N2,$SS,$ST\n 


(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Value1, Value2, Text1, 
Text2.) See “Event Variables” on page 158 for an explanation of each field and format variable. 


Because it uses the log schema to write translated logs, the File driver is also capable of creating 
localized logs. If a logging application has localized log schema files and if those files are added 
to the Application object, the File driver uses the log schema for the language designated in the 
File Channel object to write the event descriptions. For more information on the File channel’s 
language attribute, see “File Channel Object” on page 82. For information on localized log schema 
files, see “Localized Log Schema Files” on page 163. 


Flushing the File Channel Buffers 


On NetWare, the file channel driver writes events to memory and intermittently flushes the events 
to disk. The naudit file flush command forces the file channel driver to flush the events in memory 
to the log file on disk. 


To flush the file channel buffers, enter naudit file flush at the server console 


File Channel Object 
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The File Channel object stores the information the File driver needs to write events to the file 
system. 
The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 
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Attribute 
Configuration 


Log File 


Purge log files after 


seconds 


Roll when log file reaches 
Bytes 


Log Format 


Translated 


Raw 


Description 

File Channel object configuration information. 
The path to the log file. 

The default Log File directories are as follows: 


+ sys:\etc\logdir\ (NetWare) 


¢ \program files\novell\nsure audit\logs\ (Windows) 


+ 


/var/opt/novell/naudit/logs/ (Linux) 
/opt/NOVLnaudit/logs/ (Solaris) 


+ 


IMPORTANT: All file data stores are named “log.” Therefore, if you have multiple File Channel 
objects, you must point them to different paths. 


The life span of the log files. The logging server deletes all log files older than the designated 
time period. 


The log file’s maximum file size. When a log file reaches the designated file size, Igdfile 
renames the file and creates a new log file. 


The archive filename is a combination of the current date and a hexadecimal sequence number 
(l/yy/mm/dd.###). For example, the first log file archived on July 10, 2003 would be named 
1030710.001. Subsequent log files archived on the same day would be named 1030710.002, 
1030710.003, etc. 


The File channel driver can log events in either translated or raw format. Select either 
Translated or Raw to set the logging mode for the current Channel object. 


This is the default option. 


In Translated mode, the File channel driver uses the Event ID to look up each event in the 
application’s log schema and it writes the event description to the data store. 


If the log schema isn’t available, or if there isn’t a descriptive entry for a particular event, the 
File channel defaults to the following format: 


SDC $TC, $S0O, $NI, $NL, $NG, $N1,$N2,$SS,$ST\n 


(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Value1, Value2, 
Text1, Text2) 


NOTE: Log Schema files (*.Isc) catalog the events that can be logged for a given application. 
They can also provide event descriptions and labels for the event fields. For more information, 
see “Log Schema Files” on page 161. 


Although a translated log file can be visually scanned for content, no reports can be generated 
from this file because there is no consistent field structure; it contains only the event 
descriptions. 


In Raw mode, the File channel driver writes the event data in comma-separated format (csv) to 
the data store. 


The raw log file is not ina human-readable format; however, it can be imported into spreadsheet 
programs like Microsoft Excel. 


Configuring System Channels 83 


Attribute 


Description 


The language in which events are written to file. 


Translated Language 


Status 


Java 


IMPORTANT: This option is valid only for Translated log files. 


If logging applications have localized Log Schema files and if those files are added to their 
respective Application object, the File channel can write Translated log files in the selected 
language. If there isn’t a log schema for the selected language, the channel defaults to English. 


You can create parallel logs in multiple languages by defining multiple File Channel objects with 
different languages and having a single notification filter pass events to all those channels. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object’s configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server’s Channel Container property, see “Logging 
Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 


The Java channel allows the logging server to output filtered events to a Java application. 
Typically, the Java class is a custom application that provides a response to specific types of events. 
For example, if a user login is disabled, the Java channel driver can launch a Java class that 
automatically resets the user account. 


Java Channel Driver 


At startup, the Java driver, lgdjava, attempts to launch the designated Java class. If it is successful, 
that instance of the class remains active until the Java Channel object is disabled or the Secure 
Logging Server is shut down. 


If it cannot launch the Java class, the Java driver refuses to load. This safeguard ensures that no 
events are lost due to misconfiguration. 


NOTE: The Java driver does not buffer events that are undeliverable due to misconfiguration or a server 
failure. 


For information on how to hook your Java class into the Java channel driver, refer to the Java 
channel API in the Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 


Java Channel Object 


The Java Channel object stores the information the Java driver needs to launch a Java class. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 
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Attribute 
Configuration 


Class Path 


Class Driver 


Status 


MySQL 


Description 
Contains configuration information for the Java Channel object. 


The local path to where the Java application is located. 


The Java class must be located on the current logging server. 
The name of the Java class the Java driver launches. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server’s Channel Container property, see “Logging 
Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 182. 


The MySQL channel allows the logging server to log events to a MySQL database. The logging 
server can use the MySQL channel to create the central data store or a filtered database. 


The space you need for your database depends on a number of factors. These include, but are not 
limited to, how many events per second you are storing and how long you want to keep the data. 
The MySQL install, itself, is about 20 MB. (Keep in mind that the MySQL database does not need 
to be on the same volume as the MySQL binaries.) For the data store, a system that generates 
around 80 events per second with an average event size of 80 bytes consumes approximately 500 
MB of disk space for the database table and 150 MB for the index in a 24-hour period. 


NOTE: To enable the MySQL channel, the MySQL client library, libmysgq], is installed with the Secure Logging 
Server. 


For further information, see Appendix B, “Using MySQL with Nsure Audit,” on page 165. 


MySQL Channel Driver 


When the MySQL Channel object configuration is loaded in the logging server’s memory, the 
MySQL channel driver, 1gdmsql, automatically creates the following table structure for the 
MySQL data store: 
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Field Type Null Key Default Extra 
SourcelP int(11) YES 
$ ClientTimestamp lint(11) ¡YES [MUL 
Clienti S int(11) ¡YES 
ServerT imestamp | int(11) [YES 
SessionID int(11) ¡YES 
Component [varcharí255) [YES | 
@ EventID int(11) [YES IMUL 
Severity Jinga) [YES 
| Grouping int(11) [YES 
Driginator warchar(255) [YES 
OriginatorType  (int{11] ¡YES 
Target varchar(255) [YES 
TargetType ingi) YES 
SubT arget | varchar(255) ¡YES 
Textl y | varchar(255) [YES 
Text2 lvarchar(255) ¡YES 
Text3 varchar{255) ¡YES 
Valuel int(11) [YES 
Value2 int(11) [YES | 
Value] lint(11) [Yes 
MIMEType int(11) [YES 
— DataSize Titii) [YES 
Data mediumblob [YES 
Signature | varchar(255) [YES 
The default number of rows depends on the operating system. The default maximum size for a 
MySQL table is 4 GB (or 2 GB if your operating system only supports 2 GB tables). This default 


size limitation keeps pointer sizes down, making the index smaller and faster. 


NOTE: If you need larger tables, use the max_rows and avg_row_length commands in the MySQL Channel 
object's Create Table Options property. 


MySQL Channel Object 


Attribute 


Host 


Address 


The MySQL Channel object stores the information the MySQL driver needs to write events to a 
MySQL database. 


The following table provides a description of each Channel object attribute. 
IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 


Description 


The IP Address or host name of the database server. 
If a host name is specified, only the first address associated with that name is used. 


If the MySQL channel driver loses its connection with the database server, it tries to reconnect every second for 
30 seconds. If it cannot reconnect, the driver stores its current events in memory, but it does not accept any new 
events until the connection is restored. Incoming events are either stored in the Platform Agents’ Disconnected 
Mode Cache (in the case of the central data store) or dropped (in the case of a Notification Filter database). 
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Attribute 


User 


Password 


Database 


Name 


Table 


Description 


The user account the logging server uses to log in to the database. 


On NetWare 6.5, MySQL installs in Secure Mode. The default username for the NetWare 6.5 data store is 
“auditusr.” (This default can be changed during the installation of Novell Nsure Audit.) This account has all 
privileges to the default database (naudit) and can log in from any IP address. 


In Secure Mode, the default MySQL administrative account, Root, only has rights to log in at the database server. 
Therefore, if MySQL is running in Secure Mode and you want the logging server to use the Root account to log 
in to the database, MySQL and the Secure Logging Server must be located on the same server and you must 
specify a loopback address (“127.0.0.1” or “localhost”) in the Address field. 


The password the logging server uses to authenticate with the database. 


The default password for the NetWare 6.5 data store is “auditpwd.” (This default can be changed during the 
installation of Novell Nsure Audit.) 


The name of the database to which the logging server writes events. The default database name is “naudit.” 


The MySQL driver, lgdmsgq]l, automatically creates this database when the logging server first loads the current 
Channel object configuration in memory. 


The database table to which the logging server writes events. The default table is “log.” 


The MySQL driver, Igdmsql, automatically creates this table when the logging server first loads the current 
Channel object configuration in memory. 


For information on the default table structure, see “MySQL Channel Driver” on page 85. 
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Attribute 
Advanced 


CREATE 
TABLE 
Options 


SQL 
Expiration 
Commands 


Expire at 
specified 
time or 
interval 


Status 


Oracle 


Description 


This property allows you to customize the default table structure using standard SQL Create Table commands. 


For example, the max_rows and avg_row_length commands can be used to increase the maximum size of 
your table as follows: 


max_rows=200000000 avg_row_length=76 


This property enables you to use SQL Expiration commands to automate database maintenance. 


For example, you can automate data archiving by configuring the MySQL channel to automatically save out the 
current table and create a new table at designated intervals. 


For a listing of command variables and sample scripts, see “SQL Expiration Command Variables” on page 167. 


Use a semi-colon (; ) to separate multiple commands that must be executed in sequence. If the commands can 
be executed in any order, no semi-colon is needed. 


WARNING: If you choose the Autoconfigure for MySQL option in the NetWare 6.5 install, the installation 
program automatically creates the MySQL Channel object with a default Expiration script that runs every night 
at midnight and automatically deletes every record older than 12 hours. This is done because the default events 
logged by the NetWare and eDirectory Instrumentations quickly fill the database. To remove this setting, simply 
delete the script from the SQL Expiration Commands property and restart the Secure Logging Server. The script 
reads as follows: 


DELETE FROM $I WHERE clienttimestamp<(unix_timestamp()-43200); 


The frequency at which the expiration command script is executed. 
For daily regimens, select a time of day. (00 is midnight.) 
For weekly regimens, select a day of the week. The expiration commands are executed at midnight on that day. 


For monthly regimens, the expiration commands are executed at midnight on the first day of the month. 


This option allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This 
means that the logging server loads the Channel object’s configuration in memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to use it. For more 
information on the logging server’s Channel Container property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to become effective. 
Thereafter, the logging server cannot load the object’s configuration until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup Commands” on page 182. 


The Oracle channel allows the logging server to log events to an Oracle database. The logging 
server can use the Oracle channel to create the central data store or a filtered database. 


NOTE: Oracle no longer supports NetWare; therefore, the Oracle Channel object cannot be used in NetWare 
environments. 


For the Oracle channel to function properly, you must install the Oracle client libraries on the same 
server as the Secure Logging Server. 
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Oracle Channel Driver 


The Oracle channel drive, lgdora, creates the table for the Oracle data store automatically. In most 
circumstances, you do not need to create the data store table. 


If a situation arises requiring you to create this table manually, you can create the data store using 
the following table structure: 


Datatype Nulls? 

SOURCEIP NUMBER 0 
CLIENTTIMESTAMP | NUMBER 0 | 
CLIENTMS NUMBER 0 | 
SERVERTIMESTAMP [NUMBER 0 | 
SESSIONID NUMBER 0 | 
COMPONENT VARCHAR2 255 | 
EVENTID NUMBER 0 | 
SEVERITY [NUMBER 0 | 
GROUPING [NUMBER 0 | 
ORIGINATOR [VARCHAR2 255 v | 
ORIGINATORTYPE [NUMBER 0 | 
TARGET [VARCHAR2 255 v | 
TARGETTYPE [NUMBER 0 | 
SUBTARGET VARCHAR2 255 v | 
TEXTI “VARCHAR? 255 v| 
TEXT2 VARCHAR2 255 Y 
TEXT3 | VARCHAR2 255 v | 
VALUE1 | NUMBER 0 | 
VALUE2 [NUMBER 0 | 
VALUES NUMBER 0 | 
MIMETYPE NUMBER 0 | 
DATASIZE NUMBER 0 | 
DATA LONG RAW v | 
SIGNATURE VARCHAR2 255 v | 


Oracle Channel Object 


Attribute 


Host 


t 


The Oracle Channel object stores the information the Oracle driver needs to write events to an 


Oracle database. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 


Description 
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Attribute 


Address 


User 
Password 
Database 
Name 
Table 


Status 


SMTP 


Description 


The IP Address or host name of the database server. 
If a host name is specified, only the first address associated with that name is used. 


If the Oracle channel driver loses its connection with the database server, it stores its current 
events in memory, but it does not accept any new events until the connection is restored. 
Incoming events are either stored in the Platform Agent’s Disconnected Mode Cache (in the 
case of the central data store) or dropped (in the case of a Notification Filter database). 


The user name for the account the logging server uses to authenticate with the database. 


The password for the account the logging server uses to authenticate with the database. 


The name of the database to which the logging server writes events. 
The database table to which the logging server writes events. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object’s configuration in 
memory at startup. 


IMPORTANT: The Channel object must be located in a supported Channel container for the 
logging server to use it. For more information on the logging server’s Channel Container 
property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 


The SMTP channel allows the logging server to e-mail logged events. Typically, the SMTP 
channel is used to e-mail system critical events, such as a server abend, to a system administrator’s 
mailbox, cell phone, or other e-mail enabled device. Using SMTP Channel objects with 
notification filters, administrators can keep abreast of what is going on in their system as it 
happens. 


SMTP Channel Driver 


At startup, the SMTP driver, lgdsmtp, performs a server check; that is, the driver attempts to 
connect to the designated host at port 25. The server check verifies the driver can actually 
communicate with the server before it attempts to relay events. If the server check fails, the SMTP 
driver refuses to load. This safeguard ensures that no events are lost due to misconfiguration. 


The SMTP driver does not buffer events that are undeliverable because of a misconfiguration or a 
server failure. 


The SMTP channel driver can send events through servers that require SMTP authentication as 
long as a valid username and password are defined in the Channel object configuration. If the 
username and password are configured, the SMTP driver always attempts SMTP authentication 
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when connecting with the relay host. It does not, however, distinguish whether or not this 
authentication is actually successful and it tries to send the message in either case. 


The SMTP driver cannot authenticate with an SMTP server on which SMTP-after-POP is enabled. 


SMTP Channel Object 


Attribute 
SMTP Relay Settings 


Host 


User 


Password 


Message Settings 


Sender 


Recipient 


Subject 


The SMTP Channel object stores the information the SMTP driver needs to relay events through 
an SMTP server. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands’ on page 182. 


Description 


The host name or IP address of the SMTP server. 


If a host name is specified, only the first address associated with that name is used. 


The user name for the e-mail account the SMTP channel uses to connect to the SMTP server. 


The user name is required only if SMTP Authentication is enabled on the SMTP server. 


The password for the e-mail account the SMTP channel uses to connect to the SMTP server. 


The password is required only if SMTP Authentication is enabled on the SMTP server. 


The name that appears in the From: line for all messages sent from this SMTP Channel object. 
Some SMTP servers require this field to be a valid email address. If this is required by your 
SMTP server, make sure you provide a valid e-mail address, such as 
username@yourcompany.com . 


The e-mail addresses to which all events directed through this SMTP Channel object are sent. 
Multiple recipients are delineated with a comma (, ), a space, or a semicolon (; ). 


You can also enter the $S or $T event variables in this field instead of a real address. When 
relaying an event, the SMTP driver replaces these variables with the value of the event's Text1 
or Text2 fields, respectively. (See “Event Variables” on page 158 for more information.) 


As long as the value of the Text1 or Text2 field is an e-mail address, the $S and $T variables 
can be leveraged to automatically send notification messages for user-related events such as 
a password change. 


IMPORTANT: To use the $S and $T variables, you must also configure a Notification Filter that 
directs only those events with an e-mail address in the Text1 or Text2 fields to this SMTP 
Channel object. For information on configuring Notification Filters, see Chapter 9, “Configuring 
Filters and Event Notifications,” on page 99. 


The text that appears in the Subject line for all messages sent from this SMTP Channel object. 
The subject line can contain up to 255 characters. 


The subject line can also contain event variables. The SMTP driver replaces these variables 
with a value from the event’s designated field. For a listing of event variables, see “Event 
Variables” on page 158. 


This field is optional. 
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Attribute 


Message 


Status 


SNMP 


2 B SNMP: Enterprise 
10) SNMP: Network address = [137.65.159.169] 

0) SNMP: Generic trap = 6 (Enterprise specific) 
{O SNMP: Specific trap 
y SNMP: Time ticks 


00000000: 00 cü 4f ad 28 63 00 c0 a8 87 Sf cl 08 00 45 00 .AO-(c.A'I_A..E. 
00000010: 00 77 £1 5c 00 00 80 11 £7 47 89 41 9f a5 89 41 wh . .1.=GIAI#IA 
00000020: 9f a9 Da 91 00 a2 00 63 3a 32 30 59 02 01 00 04 19.".0.c:20Y.... 
00000030: 06 70 75 62 6c 69 63 a4 4c 06 Da 60 86 48 01 86 .public*L..*1H.1 
00000040: £8 37 01 82 Sb 40 04 89 41 9f a9 02 01 06 02 03 e7?.1[0.1418..... 
00000050: Oa 00 02 43 04 3e Be 61 12 30 2a 30 28 06 09 51 ...C.>la.0x0(..0 
00000060: 07 1d 8f 37 Ob 01 8f 3a 04 1b 49 27 6d 20 74 72 ..17..1:..1'n tr 
00000070: 61 70 70 65 64 20 62 79 20 65 76 65 6e 74 20 36 apped by event 6 
00000080: 35 35 33 36 32 55362 


Description 


The text that appears in the message body for all messages sent from this SMTP Channel 
object. The message body can be up to 64 KB; however, for performance reasons, this is not 
recommended. 


The message body can contain event variables. The SMTP driver replaces these variables with 
a value from the event's designated field. For a listing of event variables, see “Event Variables” 
on page 158. 


This field is optional. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server's Channel Container property, see “Logging 
Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 182. 


The SNMP channel allows the logging server to send filtered events to an SNMP management 


A decoded SNMP trap appears as follows: 


8 Eo SNMP: ---— Simple Network Management Protocol (Version 1) ----—- 
Uy SNMP : 
~ (3 SNMP: SNMP Version = 1 
k B SNMP: Community = public 
i Q SNMP: Command = Trap 


{2.16.840.1.113719.1.347} 


655362 
1049518354 


iD SHEP Ob actos dadas dais oa dar) 
Wh SNMP: Value = I'm trapped by event 655362 


E 


The trap values are explained in following table. 
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SNMP Value Description 


SNMP Version The trap’s SNMP version. The Nsure Audit SNMP driver sends SNMPv1 
traps. 

Community The string, or password, needed to access the SNMP management 
system. 

Command The SNMP Command. This is always Trap. 

Enterprise The Enterprise that sent the event is always 2.16.840.1.113719.1.347.3.1 . 

Network address The IP address of the logging server that sent the trap. 

Generic trap The Generic Trap field is always 6 (Enterprise specific). 

Specific trap The Specific Trap field always contains the Event ID of the event that 


triggered the trap. 

Time Ticks The time the event was sent in seconds since 1970. 

Object The Object ID specified in the SNMP Channel object. If no Object ID is 
specified, the Nsure Audit internal OID is used 


(2.16.840.1.113719.1.347.3.1). 


Value The Value associated with the Object is the message configured in the 
SNMP Channel object. 


SNMP Channel Driver 
The SNMP driver sends SNMPv1l traps. 


The SNMP driver does not buffer traps that are undeliverable because of a misconfiguration or a 
server failure. 


SNMP Channel Object 


The SNMP Channel object stores the information the SNMP driver needs to send traps to an 
SNMP management system. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 


Attribute Description 
Configuration 
Send Trap to Host The host name or IP address of the SNMP management system. 
If a host name is specified, only the first address associated with that name is used. 


Community String for Trap The community string, or password, needed to access the SNMP management system. 


If no community string is specified, the driver defaults to “public.” 
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Attribute 


Object ID 


Message 


Status 


Syslog 


Description 


The object you wish to associate with this message. You should enter your own asn1 object id. 
If no Object ID is specified, the Nsure Audit internal OID is used (2.16.840.1.113719.1.347.3.1). 
The Nsure Audit OID is under the CCITT/US/novell tree. 


The text that appears in the message body for all traps sent from this SNMP Channel object. 


Because SNMP specifications require that an SNMP packet can be no larger than 500 bytes, 
the message body is limited to 300 bytes. The SNMP driver simply truncates anything over 300 
bytes. 


The message body can contain event variables. The SNMP driver replaces these variables with 
a value from the event’s designated field. For a listing of event variables, see “Event Variables” 
on page 158. 


This field is optional. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object’s configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server’s Channel Container property, see “Logging 
Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 


The Syslog channel allows the logging server to log events to a specific syslog facility on any 
syslog host or to a remote syslog daemon. 


It is also capable of creating localized logs. If the logging applications have localized Log Schema 
files and if those files are added to their respective Application objects, the Syslog channel can 
write the log files in the language designated in the Syslog Channel object. 


The Log Schema catalogs the events that can be logged for a given application. It can also provide 
event descriptions and labels for the event fields. For more information, see “Log Schema Files” 
on page 161. 


The logging server can use the Syslog channel to write the central data store or to create filtered 
log files. 


Syslog Channel Driver 


At startup, the Syslog driver, lgdsyslog, loads each application’s log schema. If a logging 
application has multiple language versions of its log schema, the Syslog channel loads the schema 
for the language designated in the Syslog Channel object. 


Novell Nsure Audit stores log schema files as attributes in their respective Application objects. For 
further information, see “Log Schema Files” on page 161. 
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NOTE: If the File and Syslog Channel objects reference the same language, the drivers independently load 
the log schema in their own memory. The only time the log schema is shared is between multiple instances of 
the same driver. For example, if you have two Syslog channels configured to write log files in English, the 
English log schema for each application is loaded only once. 


When it writes events to the syslog facility, the Syslog driver uses the Event ID to look up each 
event in the corresponding application’s log schema and then it writes the event description to the 
data store. If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, 
the Syslog channel defaults to the following format: 


SDC $TC, $S0, $NI, SNL, $NG, $N1,$N2,$SS,$ST\n 


(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Valuel, Value2, Text1, 
Text2.) See “Event Variables” on page 158 for an explanation of each field and format variable. 


Because it uses the log schema to log events, the Syslog driver is also capable of creating localized 
logs. If a logging application has localized log schema files and if those files are added to the 
Application object, the Syslog driver uses the log schema for the language designated in the Syslog 
Channel object to write the event descriptions. 


For more information on the Syslog channel’s language attribute, see “Syslog Channel Object” on 
page 95. For information on localized log schema files, see “Localized Log Schema Files” on 
page 163. 


Syslog Channel Object 


Attribute 


The Syslog Channel object stores the information the Syslog driver needs to write events to syslog. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 


Description 


Configuration 


Syslog Host 


Facility 


The host name or IP address of the syslog server. 
If a host name is specified, only the first address associated with that name is used. 


The syslog server must be running a syslog daemon that allows remote connections for log 
drop-off. UNIX syslog daemons accept remote connections by default; however, Linux system 
daemons do not. Therefore, the startup script for Linux syslog daemons must be altered to 
explicitly allow remote connections. This is done using the -r switch on syslogd. 


The syslog facility to which the logging server writes events. 
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Attribute 


Log Language 


Status 


JDBC 


Description 


The language in which events are written to syslog. 


If a logging application has localized Log Schema files and if those files are added to the 
Application object, the Syslog channel can write log files in the selected language. If there isn’t 
a log schema for the selected language, the channel defaults to English. 


Log Schema files (*.Isc) catalog the events that can be logged for a given application. They can 
also provide event descriptions and labels for the event fields. For more information, see “Log 
Schema Files” on page 161. 


If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, the 
Syslog channel defaults to the following format: 


SDC $TC,$SO,$NI, SNL, SNG, $N1, $N2,$SS,$STIn 
(EventID, Log Level, Group ID, Value1, Value2, Text1, Text2) 


Technically, only English is allowed because syslog is a 7-bit protocol. However, most syslog 
implementations support 8-bit, so all 8-bit languages can be selected. However, some 8-bit 
languages, such as Russian, are not very usable in syslog. No 16-bit languages are allowed. 


You can create parallel logs in multiple languages by defining multiple Syslog Channel objects 
with different languages and having a single notification filter pass all events to those channels. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object’s configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server’s Channel Container property, see “Logging 
Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 


The JDBC channel allows the logging server to output filtered events to any JDBC-enabled 
datastore. Before you create a JDBC channel object, copy all required JDBC libraries (jar 
extension) to the tomcat\4\common\lib folder of your ¡Manager server. 


JDBC Channel Object 


The JDBC Channel object stores the information the JDBC driver needs to write events to a JDBC- 
enabled data store. 
The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 
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Attribute 


Java Class 
Path 


JDBC Class 


JDBC URL 


JDBC Table 


JDBC Table 
Create SQL 


Status 


Description 


Full path to any .jar files required by your driver, as well as the full path to jdbclogdriver.jar, and nauditdriver.jar, 
separated by semicolons. 


Package and name of the Java class providing JDBC connectivity. 
Valid JDBC URL for the target data store, including the table name. 
Name of the table used to log Nsure Audit events. 


If the table specified in the JDBC Table parameter does not exist, enter SQL commands to create the table. 


This option allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This 
means that the logging server loads the Channel object’s configuration in memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to use it. For more 
information on the logging server’s Channel Container property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to become effective. 
Thereafter, the logging server cannot load the object’s configuration until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup Commands” on page 182. 


Microsoft SQL Server 


The Microsoft SQL Server channel allows the logging server to log events to a Microsoft SQL 
Server database. The logging server can use the Microsoft SQL Server channel to create the central 
data store or a filtered database. 


The space you need for your database depends on a number of factors. These include, but are not 
limited to, how many events per second you are storing and how long you want to keep the data. 
For the data store, a system that generates around 80 events per second with an average event size 
of 80 bytes consumes approximately 500 MB of disk space for the database table and 150 MB for 
the index in a 24-hour period. 


IMPORTANT: Native connections to a Microsoft SQL server database are available only when running the 
Secure Logging Server on a Windows platform. JDBC must be used to connect to a Microsoft SQL Server 
database from other platforms. 


Microsoft SQL Server Channel Driver 


When the SQL Server Channel object configuration is loaded in the logging server’s memory, the 
SQL Server channel driver, lgdmssql, automatically creates the following table structure for the 
SQL Server data store: 
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Column Name Data Type [Length] Allow Nulls 
SourcelP int 4 Y 
ClientTimeStamp int 4 Y 
ClientMS int 4 Y 
ServerTimestamp int 4 Y 
SessionID int 4 Y 
Component varchar 255 Y 
EventID int Y 
Severity int 4 Y 
Grouping int 4 Y 
Originator varchar 255 Y 
OriginatorType int 4 Y 
Target varchar 255 Y 
TargetType int 4 Y 
SubTarget varchar 255 Y 
Text1 varchar 255 Y 
Text2 varchar 255 Y 
Text3 varchar 255 Y 
Valuel int 4 Y 
Yalue2 int 4 Y 
Value3 int 4 Y 
MIMEType int 4 Y 
DataSize int 4 Y 
Data image 16 Y 
Signature varchar 255 Y 


Microsoft SQL Server Channel Object 


Attribute 


Server 
Name 


Database 


Table 


Username 


Password 


Use SSL 


Status 


The Microsoft SQL Server Channel object stores the information the Microsoft SQL Server driver 
needs to write events to a Microsoft SQL Server database. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182 


Description 


The IP Address or host name of the database server. 


The name of the database to which the logging server writes events. 

The database table to which the logging server writes events. 

The user name for the account the logging server uses to authenticate with the database. 
The password for the account the logging server uses to authenticate with the database. 
Select whether SSL should be used to connect to the database server. 


This option allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This 
means that the logging server loads the Channel object's configuration in memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to use it. For more 
information on the logging server's Channel Container property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to become effective. 
Thereafter, the logging server cannot load the object's configuration until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup Commands” on page 182. 
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Overview 


Configuring Filters and Event Notifications 


Using filters and event notifications, Novell® Nsure™ Audit is capable of reporting when a 
specific type of event occurs, or when it does not occur. This section provides the information you 
need to configure your system filters and notifications. 


By default, your main logging channel receives all events. Notifications are required only if you 
want to send specific events to a channel other than your main logging channel. Do not send 
notifications to your main logging channel, as this results in duplicate logged events. 


+ “Overview” on page 73 

+ “Creating Notification Objects” on page 99 
¢ “Notification Filters” on page 100 

+ “Heartbeat Objects” on page 102 


Nsure Audit provides two kinds of event notification: 
¢ Filtered Notification 


+ Heartbeat Notification 


Filtered notification tells you when a specific event has occurred; heartbeat notification tells you 
when an event has not occurred. 


As the name implies, Notification Filter objects filter specific events from the stream of incoming 
events. The filtered events are then routed to one or more channel drivers where they can be logged 
to a database, routed to a Java application or SNMP management system, or broadcast to an 
administrator via SMTP. In some cases, filtered events may be directed to the CVR channel to 
trigger a reset policy. 


Heartbeat objects monitor the stream of incoming events for the occurrence of a specific Event ID. 
If the event does not occur within the designated interval, the logging server generates a heartbeat 
event (EventID 0001001). This event is automatically logged to the central data store; however, if 
you want to receive notification that a specific event has not occurred, you must create a 
Notification Filter for the corresponding heartbeat event. 


Creating Notification Objects 


Both filtered and heartbeat notifications are configured in Novell eDirectory™ using Notification 
Filter and Heartbeat objects. 


Notification Filter objects store the criteria the logging server uses to filter system events. They 
also designate which Channel objects the logging server uses to provide event notification. 
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Heartbeat objects define which Event IDs the logging server is looking for and the interval at 
which those events must occur. You can also define the information that is returned in the heartbeat 
event’s Textl, Text2, Valuel, and Value2 fields. 


You must create a separate Notification Filter object for every event you want to filter. A single 
Heartbeat object, on the other hand, can monitor multiple events. In fact, you really only need to 
create one Heartbeat object in your logging system. 


You can create Notification Filter and Heartbeat objects using ¡Manager. For information on using 
iManager, see Chapter 4, “Nsure Audit ¡Manager Plug-in,” on page 39. 


You must create Notification Filter and Heartbeat objects in Notification containers. The 
Notification container under Logging Services is automatically created during installation; 
however, additional Notification containers can be created anywhere in the tree. 


Creating Notification objects in the central Notification container under Logging Services is ideal 
for organizations that need a simple, easy-to-manage logging system. It also suits organizations 
that are implementing Nsure Audit as an auditing solution and, for security reasons, want to 
centrally manage their system. 


If you want to distribute logging system administration, however, Notification objects can be 
created anywhere in the tree. For example, if administration is divided by logging server, you can 
create a Notification container under each Logging Server object. On the other hand, if 
administration is divided by application (for example, one person manages logging for iChain®, 
another DirXML? lo geing, etc.), the Notification container can be created in any context assigned 
to its administrator. 


If you create a Notification container elsewhere in the tree, you must add that container to the 
logging server’s list of supported containers. At startup, the logging server scans its list of 
supported Notification containers and loads the included Notification object configurations in 
memory so it can filter events, monitor Heartbeat events, and route notifications to the appropriate 
channels. If a Notification object is not in one of the logging server’s supported Notification 
containers, it cannot use it. For more information on the logging server’s Notification Container 
property, see “Logging Server Objects” on page 55. 

IMPORTANT: The logging server loads only the Notification object configurations at startup. Therefore, if you 
create a new Notification container or Notification object, you must first ensure the Notification container is 


included in the logging server’s Notification Container list and then restart the logging server. For information 
on restarting the logging server, see “Secure Logging Server Startup Commands” on page 182. 


Notification Filters 


Notification Filter objects define event criteria and designate which Channel objects should be 
used to provide event notification. 


To define Notification Filters, you must be familiar with event structure. For more information on 
each event field, see “Event Structure” on page 155. 


When you define a Notification Filter, you specify a value for a given event field. To narrow the 
results, you can define values for multiple event fields. Using standard And, Or, and Not operators, 
you can define up to 15 event conditions. 


After you define the event criteria, you must select a notification channel. Notification channels 
are simply the Channel objects the logging server uses to provide event notification. For example, 
if you want to e-mail events to your mailbox, you must select an SMTP Channel object that is 
configured to relay events to your e-mail address. Similarly, if you want to log events to a MySQL 
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Attribute 


Description 


Rule 


Event Field 


Condition 


Value 


Operator 


Notification Channels 


database, you must select a MySQL Channel object that is configured to write events to the correct 
database and table. You can define multiple notification channels for any given Notification object. 


The following table provides a description of each Notification Filter attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Filter object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 182. 


Description 


This field allows you to enter a description and any necessary explanation for the Notification 
Filter. 


The field limit is 255 characters. 


The information from this field is returned if one uses the SE event variable. For more 
information, see “Event Field Variables” on page 159. 


The Rule defines the filter criteria. 

The event field on which the logging server filters events. 

For more information on the event fields, see “Event Structure” on page 155. 

The condition under which the logging server applies the Value to the Event Field. 


Depending on the Event Field, you can select one of the following conditions from the drop- 
down list box: 


« Matches 
+ Is less 
+ Is more 


+ Is between 
+ Contains 
The value for the designated Event Field. 


The logging server applies the Value to the designated Event Field under the defined 
conditions. If an event matches the criteria, it is sent to the designated notification channel. 


To narrow the filter results, you can define values for multiple event fields. Using standard And, 
or, and Not operators, you can define up to 15 event conditions. 


The conditions are accumulative; that is, the logging server applies the first condition, then the 
second, then the third, etc., to progressively narrow the results. 


The Channel objects the logging server uses to provide event notification. You can select 
multiple notification channels for any given Filter object. 


Click the Object Selector button Š to select Channel objects in the tree. 
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Attribute Description 


Status This option allows you to enable or disable the Notification Filter. By default, all Notification 
Filters are enabled. This means that the logging server loads the filter's configuration in 
memory at startup. 


IMPORTANT: The Notification Filter object must be located in a supported Notification 
container for the logging server to use it. For more information on the logging server’s 
Notification Container property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 


Heartbeat Objects 


Heartbeat objects define which Event IDs the logging server is looking for and the interval at 
which those events must occur. You can also define the information that is returned in the heartbeat 
event’s Textl, Text2, Valuel, and Value2 fields. 


If an event does not occur within the designated interval, the logging server generates a heartbeat 
event (EventID 0001001). The information in the Heartbeat object’s Textl, Text2, Text3, Valuel, 
Value2, and Value3 fields is used to populate the corresponding fields in the heartbeat event. The 
Notification Filter can differentiate heartbeat events based on the values you define in the Text1, 
Text2, Text3, Valuel, Value2, and Value3 fields. 


The heartbeat event is automatically logged to the central data store; however, if you want to 
receive notification that a specific event has not occurred, you must create a Notification Filter for 
the corresponding heartbeat event. 


The following table provides a description of each Heartbeat object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Heartbeat object configuration. For 
more information, see “Secure Logging Server Startup Commands’ on page 182. 


Attribute Description 
Description This field allows you to enter a description and any necessary explanation for the Heartbeat 
object. 


The field limit is 255 characters. 


Event ID The Event ID you want the logging server to monitor. 


The Event ID uniquely identifies each type of logged event. For more information, see “Event 
Structure” on page 155. 


If a logging application does not log the Event ID within the designated interval, the logging 
server generates a heartbeat event. 


IMPORTANT: The Event ID is not included in the heartbeat event. Therefore, you should enter 
information in the Text1, Text2, Text3, Value1, Value2, and Value3 fields that allows you to 
determine which event triggered the heartbeat event. 
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Attribute 


Interval 


Text1 


Text2 


Text3 


Value? 


Value2 


Value3 


Operators +- 


Status 


Description 


The maximum number of seconds between each event occurrence. 


If the event does not occur within the designated interval, the logging server generates a 
heartbeat event. 


The information that appears in the heartbeat event's Text1 field. It can contain any text string 
up to 255 characters. 


To facilitate filtering of heartbeat events, the Text1, Text2, Value1, and Value2 fields should 
include information that allows you to identify which event triggered the heartbeat event. 


The information that appears in the heartbeat event's Text2 field. It can contain any text string 
up to 255 characters. 


The information that appears in the heartbeat event's Text3 field. It can contain any text string 
up to 255 characters. 


The information that appears in the heartbeat event’s Value’ field. It can contain any numeric 
value up to 32 bits. 


The information that appears in the heartbeat event's Value2 field. It can contain any numeric 
value up to 32 bits. 


The information that appears in the heartbeat event’s Value3 field. It can contain any numeric 
value up to 32 bits. 


Click the plus sign (+) to add a new line. Click the minus sign (-) to remove a line. 


Each line defines a separate event for the logging server to monitor. If a given event does not 
occur, the logging server generates a unique heartbeat event using the information from the 
Text1, Text2, Text3, Value1, Value2, and Value3 fields. 


There is no programmed limit to the number of events that can be added to Heartbeat objects. 


This option allows you to enable or disable a Heartbeat object. By default, all Heartbeat objects 
are enabled. This means that the logging server loads the object’s configuration in memory at 
startup. 


IMPORTANT: The Heartbeat object must be located in a supported Notification container for 
the logging server to use it. For more information on the logging server’s Notification Container 
property, see “Logging Server Objects” on page 55. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 182. 
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Generating Queries and Reports 


Logging information is only half the battle. Obviously, you have to be able to access and 
understand your log data for the information to be useful. Queries and reports allow you to view 
and interpret the information in your data store. 


Novell® Nsure™ Audit provides two tools that can be used to run queries or reports on your data 
stores. They are iManager and Nsure Audit Report. The following sections provide the 
information you need to generate queries and reports in each tool. 


+ “Using ¡Manager to Generate Queries” on page 105 


+ “Using Nsure Audit Report” on page 115 


¡Manager and Nsure Audit Report are not the only tools that can be used to access log data. 
Because Novell Nsure Audit logs events to standard systems (MySQL, Oracle, Microsoft SQL 
Server, syslog, and text files), you can directly access log data using any tool that is standardized 
to those systems. For example, you can access data in MySQL and Oracle systems using ODBC 
or JDBC* tools and text files can be opened with a standard text reader such as Windows Notepad 
or VIM (UNIX). 


Using ¡Manager to Generate Queries 


Novell ¡Manager is a Web-based application that is used to manage, maintain, and monitor Novell 
eDirectory™ through wired and wireless devices. With the Novell Nsure Audit plug-in module, 
¡Manager can be used to manage Nsure Audit objects in eDirectory. 


In addition to managing Nsure Audit objects, the Nsure Audit plug-in module allows you to create 
and run queries in iManager. Using the Query Configuration and Queries tasks under the Nsure 
Audit role, you can perform the following tasks: 


+ “Defining Your Query Databases in iManager” on page 105 

¢ “Setting Your Global Options in iManager” on page 107 

+ “Importing and Viewing Log Events in iManager” on page 108 
+ “Defining Queries in iManager” on page 109 

+ “Running Queries in iManager” on page 113 

+ “Exporting Query Results in iManager” on page 114 


+ “Printing Query Results in iManager” on page 115 


Defining Your Query Databases in ¡Manager 


Before you can query a database, ¡Manager needs to know where to find the data store and how to 
communicate with the database. This information is stored in the database definition. Every 
database you want to query must have its own database definition in ¡Manager. 
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IMPORTANT: The database definitions you create in iManager are stored in the User object you use to log 
in to iManager. Consequently, they are not available to other users on the system. 


To create a database definition in iManager: 

1 Open the Query Configuration task. 
a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 

2 In the Query Configuration screen, click Databases > New. 

3 Inthe New Database menu, enter the database information. 
See the table below for a description of each field. 


4 When finished, click OK. 
The new database definition now appears in the Database Name list. 


The following table provides a description of each field in the database definition. 


Field Description 


Name The name you want to use to refer to this database. 


This name appears in the Database Name list. 


JDBC Class Package and name of the Java class providing JDBC connectivity. 


The Java archive file (.jar) containing this JDBC class must be located in the iManager class 
path. On NetWare®, this is sys:\tomcat\4\commonl\lib . 


The following examples contain the JDBC class provided by the manufacturer for the most 
common databases: 
MySQL: com.mysql.jdbc.Driver 
The required JDBC jar file is installed with the Nsure Audit iManager plug-in. 
Oracle: oracle.jdbc.driver.OracleDriver 
The Oracle JDBC jar file can be downloaded from the Oracle Web site (http:// 
otn.oracle.com/software/tech/java/sqlj_jdbc/index.html). This file must be in the classpath 
of your ¡Manager server, for example, tomcat\4\commonI\lib . 
SQL Server: com.microsoft.jdbc.sqlserver.SQLServerDriver 
The SQL Server JDBC jar file can be downloaded from the Microsoft Download Center 
(http:/Awww.microsoft.com/downloads/search.asp). This file must be in the classpath of 
your ¡Manager server, for example, tomcat\4\common\lib. 


JDBC URL A valid JDBC URL, including the database name, that that ¡Manager uses to communicate with 
the database. Any JDBC-compliant driver can be used.The driver name is case sensitive. 


Consult the documentation provided by your database vendor for specifics on constructing 
JDBC URLs. The following are JDBC URL examples for the most common databases using the 
default port. This database name must be replaced with the name of your Nsure Audit 
database, the default Nsure Audit database name is naudit. 


+ MySQL jdbc:mysal://<ip_address>:<port>/<database_name> 
+ Oracle jdbc:oracle:thin:@<ip_address>:<port>:<sid> 


+ SQL Server jdbc:microsoft:sqlserver:// 
<ip_address>:<port>;DatabaseName=<database_name> 
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Field Description 
Table The name of the table iManager queries. 


In Novell Nsure Audit, table names are defined in MySQL and Oracle Channel objects. The 
default table name is log. 


If you have multiple MySQL or Oracle Channel objects, you must create a separate database 
definition for each data store. 


Username The user name iManager uses to authenticate with the database. 


The default username for the NetWare 6.5 data store is auditusr. (This default can be changed 
during the installation of Novell Nsure Audit.) This account has all privileges to the default 
database (naudit) and can log in from any IP address. 


By default, MySQL installs in Secure Mode on NetWare 6.5. In Secure Mode, the default 
MySQL administrative account, Root, has rights to log in only at the database server. Therefore, 
if MySQL is running in Secure Mode and you want iManager to use the Root account to log in 
to the database, MySQL and the iManager Web server must be located on the same server and 
you must specify a loopback address (“127.0.0.1” or “localhost”) in the Host field. 


Password The password the logging server uses to authenticate with the database. 


The default password for the NetWare 6.5 data store is auditpwd. (This default can be changed 
during the installation of Novell Nsure Audit.) 


IMPORTANT: If you do not specify a different default password during the installation, new 
databases can be created and accessed using the default username and password. To prevent 
this, specify a different default password during the install. 


Store Password Stores the password the logging server uses to authenticate with the database. This enables 
¡Manager to automatically log in to the database. 


If you do not mark the Store Password option, you must enter the password each time you run 
a query on the current database. 


Editing and Deleting Database Definitions 


After you have created a database definition, you can edit or delete the definition by marking the 
check box next to the database, then clicking Edit or Delete. 


NOTE: Deleting a database definition does not affect the actual database. It only removes the database from 
the Query Configuration task's Database list, which means that iManager can no longer query the database. 


Setting Your Global Options in ¡Manager 


The Global Options screen allows you to set a default limit on the number of rows returned in the 
query results. 


To set a default query limit in ¡Manager: 
1 Open the Query Configuration task. 
1a Click the Roles and Tasks button on the ¡Manager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 
2 In the Query Configuration screen, click Global Options. 
3 In the Global Options screen, specify your default query limit. 
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Option 
Limit Query Result To 


Default Sort Order 


Date/Time Format 


4 When finished, click OK. 


The Global Options screen also includes the default sort order and date time format; however, 
these options cannot be modified in the current release. 


The following table provides an explanation of each option in the Global Options screen. 


IMPORTANT: These are global settings. This means that iManager automatically adds these parameters to 
all database queries unless the parameter is expressly defined in the query statement. 
Description 


This option limits the number of rows (that is, records) that are returned from a database query. 


iManager does not have a default sort order. 
You can sort the records in the query results screen by clicking a column heading. 
This option cannot be modified in the current release. 


iManager formats all time and date information in RFC822 UTC format. RFC822 is the Internet 
standard format for electronic mail message headers. All time and date values are expressed 
in UTC rather than local time. 


This option cannot be modified in the current release. 


Importing and Viewing Log Events in iManager 


The Product Events screen lists the events associated with each logging application. The 
information provided on events and event fields is required to define query statements, 
Notification Filters, and Heartbeat Notifications. 

NOTE: For an explanation of event fields, see “Event Structure” on page 155. For information on defining 


Notification Filters and Heartbeat Notifications, see Chapter 9, “Configuring Filters and Event Notifications,” on 
page 99. 


However, before you can view a logging application’s events, you must first import its log schema. 
The log schema (LSC) file catalogs the events that can be logged for a given application. It also 

provides the event descriptions and field labels that iManager uses in its query results. For more 
information, see “Log Schema Files” on page 161. 


Importing Log Schemas 


To import a logging application’s log schema in iManager: 
1 Open the Query Configuration task. 
a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 
2 In the Query Configuration screen, click Product Events. 
3 Provide the distinguished name (DN) of the Secure Logging Server. 


If you have multiple logging servers, enter the distinguished name of the logging server that 
loads the Application object configuration at startup. For an explanation, see Chapter 7, 
“Managing Applications that Log to Nsure Audit,” on page 73. 


3a Click the Object Selector button to locate the object in the directory tree. 
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To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


NOTE: iManager only links valid entries. 


3b Click the Object History button to see a list of Logging Server objects that have been 
selected during this iManager session. 


4 From the drop-down list, select which language version of the log schema you want to import. 


If an application does not have a log schema for the selected language, iManager imports 
nothing. 


5 Click Update. 


When you click Update, iManager locates the Logging Server object in the Directory, scans 
the logging server’s supported Application containers, and imports the log schemas from the 
Application objects in those containers. For more information, see “Application Objects” on 
page 74. 


The logging applications and their associated events now appear in the Product Name list. 


Viewing Product Events 

1 Open the Query Configuration task. 
1a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 

2 In the Query Configuration screen, click Product Events. 

3 In the Product Events screen, click the plus icon I+ next to the product name. 
This exposes the application’s associated events. 
NOTE: Only those events cataloged in the application’s log schema appear in this list. 


4 Select an event to view the Event ID, description, and field definitions. 


For more information on event fields, see “Event Structure” on page 155. 


Defining Queries in iManager 


iManager uses queries to request information from MySQL and Oracle databases. All queries are 
defined in SQL. Although you must be familiar with the SQL language to create SQL query 
statements, this is the most powerful and flexible query method. 


iManager includes several predefined queries and it includes a Query Builder to help you define 
basic query statements. Of course, you can also build your own query statements. 


You can create two kinds of queries in iManager: manual queries and saved queries. Manual 
queries are simply queries that are not saved; they only run one time. Saved queries are saved in 
the Query list and can be run again and again against different databases. 


IMPORTANT: Saved queries are stored in the User object you use to log in to iManager. Therefore, they are 
not available to other users on the system. 


The following sections provide the information you need to perform the following tasks: 


+ Use Predefined Queries 
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Create Manual Queries 

Create Saved Queries 

Create Saved Queries Using the Query Builder 
Modify and Delete Saved Queries 


Using Predefined Queries 


iManager includes several predefined queries. You can modify these queries or run them "as is." 


1 


Open the Queries task. 

a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 

Ae Click the Queries task. 


2 Select the predefined queries from the Query list. 
The following table lists the queries that ship with iManager and their functions. 
Query Function 
All Returns all events in the current data store. 
All last hour Returns all events that occurred within the last hour. 
Count Returns the total number of events logged to the current data 
store. 
Distribution Returns the number of times each Event ID has occurred in the 


current data store. 


Creating Manual Queries 


To create a manual query in iManager: 


1 


a A WO N 


Open the Queries task. 

a Click the Roles and Tasks button on the iManager toolbar. 

1b In the Roles and Tasks view, expand the Nsure Audit role. 

Ae Click the Queries task. 

Click Manual Query. 

Select the database you want to query. 

In the Name field, specify the name you want to appear as the title in the query results. 
Define the query statement in the Query window. 

For basic information on building SQL queries, see “Basic SQL Query Syntax” on page 168. 


You do not need to include a FROM clause in your query statement. iManager dynamically 
builds the FROM clause using the table specified in the database definition you select when 
you run the query. However, if the query statement does include a FROM clause, iManager 
queries the table defined in the query statement. 


Click Run Query to run the query. 
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iManager Query Macros 


The following table contains macros that can be used when creating iManager queries: 


Macro Description 

[TIME]= Enables you to limit results to those occuring in a specific time frame. 
[LAST_HOUR] 
[TODAY] 
[YESTERDAY] 


[LAST_24 HOURS] 
[LAST_7_DAYS] 
[THIS_MONTH] 


HexToDec[hex*] Converts a number from hexidecimal to decimal. 
IP[192.168.0.5] Enables you to use an IP address in a query. 
[TABLE] Replaced with the actual table name during the query. 


Creating Saved Queries 
To create a saved query in iManager: 

1 Open the Queries task. 
1a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Queries task. 

2 Click New. 

3 In the Name field, specify the name you want to use to refer to this query. 
The query name appears in the Query list and in the query results’ title. 

4 Define the query statement. 
4a Create the query using the Query Builder. 


For specific information on the Query Builder, see “Creating Saved Queries Using the 
Query Builder” on page 112. 


or 
4b Write the query statement in the Query SQL Statement window 


For basic information on SQL query statements, see “Basic SQL Query Syntax” on 
page 168. 


You do not need to include a FROM clause in your query statement. ¡Manager 
dynamically builds the FROM clause using the table specified in the database definition 
you select when you run the query. However, if the query statement does include a FROM 
clause, ¡Manager queries the table defined in the query statement. 


5 Mark Translate Column Titles if you want to label the column headings in the query results 
screen with the field titles defined in the log schema. 


We recommend that you mark this option only for queries that return one type of event. If you 
mark this option for queries that return multiple types of events, Nsure Audit Report labels the 
column headings with the field titles from the last event returned in the query. 
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IMPORTANT: For this option to work, you must import each application’s log schema. For information, 
see “Importing Log Schemas” on page 108. 


6 When finished, click OK. 


The query now appears in the Query list. 


Creating Saved Queries Using the Query Builder 


If you are unfamiliar with the SQL query language, you can use the Query Builder to help you 
define basic saved queries. The Query Builder simplifies the process of creating a query by 
allowing you to choose from lists of predefined parameters. The Query Builder then constructs the 
query statement from the parameters you select. 


To open the Query Builder fields, select And in the initial drop-down list. 


3 New Query - Microsoft Internet Explorer 
New Query 
*=required 


Name * 


Po e 


Query Builder 


[Event ID +] [Matches +] feDireciory ka [all +] [Done +] 


Query SQL Statement * 


I Translate column titles 


OK | Cancel | 


Because the Query Builder can provide only a limited set of parameters, the queries it creates are 
very simple. However, it is the easiest way to create saved queries and it is capable of creating most 
base-level queries. 


The following table reviews the options in the Query Builder. 


Parameter Description 


Event Field The event field you want to query. You can select the following options from the drop-down list: 
For more information on event fields, see “Event Structure” on page 155. 
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Parameter 


Condition 


Product 


Value 


Operator 


Arrows 


Description 
The condition under which the logging server applies the Value to the Event Field. 


Depending on the Event Field, you can select the following conditions from the drop-down list 
box: 


+ matches 
+ less than 
+ greater than 
+ begins with 
+ contains 


+ is between and 


Limits the query results to a specific logging application. 


This option is available only if you select the Event ID field. 


The value for the designated event field. 


The query statement applies the Value to the designated Event Field under the defined 
conditions. If an event matches the criteria, it is returned in the query results. 


If you select Event ID in the Event field and if the designated product's log schema provides 
event descriptions, ¡Manager displays the event descriptions rather than the Event IDs; 
however, the events are still sorted by their numeric Event ID. Therefore, the event descriptions 
are not listed in alphabetical order, but related events are grouped together. 


To narrow the query results, you can define values for multiple event fields. Using standard and/ 
or operators, you can define multiple event conditions. The done operator indicates the end of 
the query statement. 


The conditions are accumulative; that is, the logging server applies the first condition, then the 
second, then the third, etc., to progressively narrow the results. 


The down-arrow moves the query down into the Query SQL Statement window. ¡Manager 
builds an SQL query statement from the parameters you define in the Query Builder. 


The up-arrow moves an SQL query statement from the Query SQL Statement window to the 
Query Builder. If the query statement includes clauses that are outside the scope of the Query 
Builder, ¡Manager returns the error SOL statement is too complex to use builder. 


Modifying and Deleting Saved Queries 


After you have created a saved query, you can edit or delete the query by marking the check box 
next to the query name and clicking Edit or Delete. 


Running Queries in ¡Manager 


4 Open the Queries task. 
1a Click the Roles and Tasks button on the ¡Manager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Queries task. 


2 Select the database you want to query from the drop-down list. 
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Queries 


For information on creating Database definitions, see “Defining Your Query Databases in 
iManager” on page 105. 


3 Mark the query you want to run. 
4 Click Run Query. 


iManager returns the query results in a data table; rows represent individual records and columns 
represent fields within those records. You can click any of the column headings to sort the results 
by that field. 


Step 2 of 2: Query results 


You may export and print results by clicking on the corresponding links below. 


Wayne's MySQL - all events 


Export Results | Printer Friendly 


SourcelP ClientTimestamp ClientMS ServerTimestamp Component EventID Severity Grouping Text1 

127.0.0.1 gan 10 Ti 0 tee Cg FIS Obs Info 0 .«smtp.Channels.Logging Services 
E a danae de Cate e a Notations. Lees 
ous 12,203 g zun ara eDirinst Add Value Info 0 .WRUST-JC. novell 
ot S003 A eDirinst Add Value Info 0 [Root]. 

127.0.0.1 Jun CN ge eDirinst add Value Info 0 [Root]. 

127.0.0.1 8 g eae ebirinst | Add Value Info 0 [Root]. 

127.0.0.1 Jun 1 S003 o ieee eDirinst Add Value Info 0 [Root]. 

127.0.0.1 20 18 2003 g Jun 12, 2003  eDirlnst Delete Value Info O WRUST-JC, novell 


4 


If you marked the Translate Column Titles option when you defined the query, iManager labels the 
query results with the field titles defined in the log schema. iManager also displays each event’s 
field titles as you mouse over the event fields. 


NOTE: It is recommended that you only mark the Translate Column Titles option for queries that return one 
type of event. If you mark this option for queries that return multiple types of events, Nsure Audit Report labels 
the column headings with the field titles from the last event returned in the query. For more information on the 
Translate Column Titles option, see “Creating Saved Queries” on page 111. 


Exporting Query Results in iManager 


iManager can export query results in the following formats: 
+ HTML file (*.htm) 
+ Comma-Separated Text file (*.csv) 


+ Tab Delimited Text file (*.txt) 


To export query results in ¡Manager: 


1 Runa query. 
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For step-by-step instructions, see “Running Queries in ¡Manager” on page 113. 
2 Within the query results screen, click Export Results. 
3 Select the export format, then click OK. 

¡Manager brings up a Save As dialog box. 
4 Select the directory location and specify the file name. 


5 Click Save. 


Printing Query Results in ¡Manager 
1 Run a query. 
For step-by-step instructions, see “Running Queries in ¡Manager” on page 113. 
2 Within the query results screen, click Printer Friendly. 
¡Manager opens another window with the query results formatted in an HTML table. 


3 Click File > Print. 


The query results are printed to your default printer. 


Using Nsure Audit Report 


IMPORTANT: Nsure Audit Report is included with NetWare 6.5 for evaluation purposes only. It displays a 
licensing notice and terminates after 10 minutes of use until you install a valid license. 


Nsure Audit Report is a Windows-based, ODBC-compliant application that can use SQL query 
statements or Crystal Decisions Reports to query Oracle and MySQL data stores (or any other 
database that has ODBC driver support). You can define your own SQL query statements or import 
existing query statements and reports. Some logging applications might also include their own 
predefined queries or reports. Query results are returned in simple data tables; rows represent 
individual records and columns represent fields within those records. 


This section provides the information you need to use Nsure Audit Report to generate queries and 
reports. It includes 


¢ “Installing Nsure Audit Report” on page 116 

¢ “Launching Nsure Audit Report” on page 116 

+ “Nsure Audit Report Interface” on page 116 

+ “Defining Your Databases in Nsure Audit Report” on page 117 

¢ “Setting Default Options in Nsure Audit Report” on page 119 

¢ “Importing and Viewing Events in Nsure Audit Report” on page 121 
+ “Verifying Event Authenticity in Nsure Audit Report” on page 123 
¢ “Working with Reports in Nsure Audit Report” on page 125 

+ “Working with Queries in Nsure Audit Report” on page 127 
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Installing Nsure Audit Report 


Nsure Audit Report is installed with NetWare 6.5. For information on the Windows install, see 
“Installing Novell Nsure Audit” on page 37. 


The Nsure Audit Report program file, Ireport.exe, is installed to the \program files\novell\nsure 
audit directory. 


Launching Nsure Audit Report 


During installation, Nsure Audit Report is added to the Start menu. To start Nsure Audit Report 
from the Start menu, click Start > Programs > Nsure Audit Reporting Application. 


Nsure Audit Report Interface 


Y Nsure Audit Report 
File Edit Query View Window Help 


Ta} 
a Y 
E 


Sy 


AAA Bars 


2 Workspace 


The Workspace window includes four panes: 


+ The Queries pane lists your defined queries. You can create, delete, or run queries in this pane. 
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+ The Reports pane lists the predefined Crystal Reports. You can import or run reports in this 
pane. 


+ The Events pane lists your logging applications and their associated events. You can run 
distribution reports or count an application’s overall events in this pane. 


You must import the applications’ log schemas before they appear in the Events pane. For 
more information, see “Importing Log Schemas” on page 121. 


+ The Databases pane lists the databases that you can query. 


You must define your databases before they appear in the Database pane. For more 
information, see “Defining Your Databases in Nsure Audit Report” on page 117. 


To move between panes, simply click the tabs at the bottom of the Workspace window. You can 
also open each pane from the View menu. 


The Status Bar displays the currently selected database and table. You can click these fields to 
select another database or table. 


Defining Your Databases in Nsure Audit Report 


Nsure Audit Report allows you to run queries and reports on any ODBC Data Source defined in 
your Windows registry. 


To define your Windows Data Sources, go to the Windows Start menu and click Settings > Control 
panel > Administrative Tools > Data Sources. There you can add, remove, and configure your 
ODBC Data Sources. For more information, see Windows Help. 


After you have defined an ODBC Data Source in Windows, you can add the Data Source to your 
list of available databases in Nsure Audit Report. 


To add a Data Source to your list of available databases in Nsure Audit Report: 
1 Click File > New > Database. 
You can also right-click in the Database pane and select Insert from the shortcut menu. 
2 In the Name field, specify the name you want to use to refer to this database. 
3 Click Browse. 
4 In the Select Data Source window, click Machine Data Source. 


5 Select the Windows Data Source Name (DSN) you want to be able to query in Nsure Audit 
Report. 


6 Specify the username and password Nsure Audit Report can use to authenticate with the 
database. 


If you leave this field blank, Nsure Audit Report uses the username and password defined in 
the Data Source. 


IMPORTANT: The only time you need to specify a username and password is if your Data Source driver 
does not define the username and password or if the username defined in the Data Source does not have 
rights to log in from the current workstation. 


7 When finished, click OK. 
The Data Source now appears in the Database pane and can be selected for queries and reports. 


The following table provides further information on the options in the Define Database menu. 
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Option 


Name 


DSN 


Username 


Password 


Do Not Store Password 


Description 
The name you want to use to refer to this Data Source. 
This name appears in the Databases pane. 


The Windows Data Source Name (DSN) you want to add to your database list. 


For information on defining your Windows Data Sources, refer to Windows Help. 


The username Nsure Audit Report uses to authenticate with the database. 


If you leave this field blank, Nsure Audit Report uses the username and password defined in 
the Data Source. 


The only time you need to enter a username and password is if your Data Source driver does 
not define the username and password or if the username defined in the Data Source does not 
have rights to log in from the current workstation. 


In some cases, the username and password defined in the Data Source might not have rights 
to log in from the current workstation. For example, in Secure Mode, the default MySQL 
administrative account, Root, only has rights to log in at the database server. Therefore, if 
MySQL is running in Secure Mode, you either need to create a new user account with rights to 
log in from the current workstation or you must modify the rights for the Root account. (By 
default, MySQL installs in Secure Mode on NetWare 6.5.) 


The default username for the NetWare 6.5 data store is auditusr. (This default can be changed 
during the installation of Novell Nsure Audit.) This account has all privileges to the default 
database (naudit) and can log in from any IP address. 


The password Nsure Audit Report uses to authenticate with the database. 


NOTE: The default password for the NetWare 6.5 data store is “auditpwd.” (This default can be 
changed during the installation of Novell Nsure Audit.) 


By default, Nsure Audit Report stores the password the logging server uses to authenticate with 
the database. This enables Nsure Audit Report to automatically log in to the database. 


IMPORTANT: If you mark the Do Not Store Password option, you must enter the password 
each time you run a query on the current database. 


Editing and Deleting Data Sources 


To modify or delete a Data Source in Nsure Audit Report: 
1 In the Databases pane, select the Data Source you want to modify or delete. 
2 Right-click to bring up the quick menu. 
3 Modify or delete the Data Source. 
3a Select Properties to modify the Data Source. 
3b Select Delete to delete the Data Source 


NOTE: Deleting a Data Source does not affect the Data Source definition in the Windows registry. 
It only removes the Data Source from the Database list, which means Nsure Audit Report can no 
longer query or run reports on the database. 
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Defining Your Default Database and Table 


Your default database is automatically used for all queries and reports unless a specific database is 
designated in the query statement or another database is selected in the Database pane. 


To define your default database: 
1 Click the Database field on the Status bar. 


2 Select the default database from the list. 


You can also select the database in the Database pane, right-click, and select Set As Default 
Database or choose Query > Default Database from the menu bar. 


To define your default table: 
4 Click the Table field on the Status bar. 


2 Type the name of the default table you would like to use, or select it if it is already present in 
the list, then press Enter. 


You can also click Query > Default Table from the menu. 


Setting Default Options in Nsure Audit Report 


Option 
General 


Default Sort Order 


Result 
Clipboard 


Copy All If No Entries 
Selected 


Copy ’Raw’ Instead of 
Translated Data 


Copy Field Headers 


The Options menu in Nsure Audit Report allows you to set your default sort order, query limits, 
date/time format, and clipboard options. 


To bring up the Options menu, click View > Options from the menu bar. 


The following table reviews the selections in the Options menu. 


Description 


The order in which records are sorted in the query results window. 


If you select ascending or descending, the records are sorted by the first column in the output 
which is the source IP address by default. 


The following Clipboard settings determine how query data is copied to the clipboard. 


If no entries are selected when you press Ctrl+C in the Query Results window, all of the query 
information is copied to the clipboard. 


Information is copied to the clipboard exactly as it appears in the database. 


This means that all translated data (including IP addresses, signatures, dates, Severity level, 
Event ID, and other numeric values) are copied in their raw format. For example, a Severity 
level of Emergency would be copied as a 1. 


The field titles defined in the log schema files are copied to the clipboard along with the data in 
their associated fields. 


IMPORTANT: This option requires that you import each logging application’s log schema. For 
more information, see “Importing Log Schemas” on page 121. 
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Option 


Column Separation String 


Limits 


Limit Results To __ Rows 


Printing 
Header Font 
Data Font 


Footer Font 


Translation 


Date/Time Format 


RFC822 UTC 


RFC822 


Locale 


Locale Date 


Locale Time 


Binary Data 


Don't Display 


Description 


When records are copied to the clipboard, the text string entered in this field is used to delineate 
the fields within each record. 


This option facilitates cut and paste functions. For example, if you wanted to cut and paste data 
into an Excel spreadsheet, you would use a comma ( , ) delimiter. If you wanted to paste the 
data into tabular columns, you would use a tab delimiter. 


This option limits the number of rows (that is, records) that are returned from a database query. 


This is a global setting. This means that Nsure Audit Report automatically adds this parameter 
to all database queries unless the parameter is expressly defined in the query statement. 


The following options determine which fonts are used to print query results. 
The font used to print the column headers. 
The font used to print the query data (that is, the fields within each record). 


The font used to print the footer in the query results page. The footer contains the page number 
and query string. 


The following options determine how Nsure Audit Report presents date and time information in 
the query results. 


This is a global setting. This means that Nsure Audit Report automatically adds this parameter 
to all database queries unless the parameter is expressly defined in the query statement. 


All time and date information is formatted in RFC822 format, which is is the Internet standard 
format for electronic mail message headers. 


All values are expressed in UTC. 
All time and date information is formatted in RFC822 format. 


All values are expressed in local time as defined in the workstation’s Windows settings. 


All time and date information is formatted according to the standards and formats selected in 
the workstation’s Windows settings. 


All values are expressed in local time as defined in the workstation’s Windows settings. 


All date information is formatted according to the standards and formats selected in the 
workstation’s Windows settings. (Time information is not included.) 


All values are expressed in local date format as defined in the workstation’s Windows settings. 


All time information is formatted according to the standards and formats selected in the 
workstation’s Windows settings. (Date information is not included.) 


All values are expressed in local time as defined in the workstation’s Windows settings. 
Events logged to Novell Nsure Audit include a data field that can contain up to 3072 bytes of 
data. The following options determine how Nsure Audit Report handles the information in the 
event's data field. 


The data field is not included in the query results. 
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Option Description 


Display ASCII The data field is included in the query results and displays in ASCII format. 

Display hex The data field is included in the query results and displays in hexadecimal format. 

Display first __ bytes Limits the amount of information that is included from the data field. The maximum is 3072 
bytes. 


Importing and Viewing Events in Nsure Audit Report 


The Events pane allows you to view logging application properties as well as event data. The 
information provided on applications and their associated events can be used to define query 
statements, Notification Filters, and Heartbeat Notifications. 


NOTE: For an explanation of event fields, see “Event Structure” on page 155. For information on defining 
Notification Filters and Heartbeat Notifications, see Chapter 9, “Configuring Filters and Event Notifications,” on 
page 99. 


Before you can view a logging application’s events, however, you must first import its log schema. 
The log schema catalogs the events that can be logged for a given application. It also provides the 
event descriptions and field labels that Nsure Audit Report uses in its reports. For more 
information, see “Log Schema Files” on page 161. 


Importing Log Schemas 


Novell Nsure Audit stores each application’s log schema (LSC) file in its respective Application 
object. (English LSC files are stored under the NAuditAppSchemaEn attribute.) Therefore, when 
you import log schemas, Nsure Audit Report reads the information from the Application objects 
on the designated logging server. 


To import a logging application’s log schema in Nsure Audit Report: 
1 Click File > Import > Application Schemata. 
2 Specify the IP address or host name of the Secure Logging Server. 


If you have multiple logging servers, specify the IP address of the logging server that loads 
the logging system’s Application object configurations at startup. For more information, refer 
to the logging server’s Application Container property. 


3 From the drop-down list box, select which language version of the log schema you want to 
import. 


If an application does not have a log schema for the selected language, Nsure Audit Report 
imports the application’s English log schema. 


When you click OK, Nsure Audit Report connects to the logging server and imports the log 
schemas from all Application objects in the logging server’s supported Application 
containers. For more information, see “Application Objects” on page 74. 


IMPORTANT: Nsure Audit Report writes the log schema files to its cache file, Ireport.Isc, in the Windows 
Home Directory. Therefore, the account you use to log in to Windows XP must have right to the account's 
Windows Home Directory. The Windows Home Directory is defined in the User Profile. For more 
information, see Home Directory in Windows Help. 


4 Click OK in the confirmation dialog box. 
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The Import Confirmation dialog box notes that you must restart Nsure Audit Report before 
the new schemas appear in the Events tab. 


5 Restart Nsure Audit Report. 


The new applications and their associated events now appear in the Events pane. 


Viewing Application Properties and Events 


IMPORTANT: To view events in the Events pane, the account you use to log in to Windows XP must have 
rights to the Windows Home Directory. The Windows Home Directory is defined in the User Profiles. For more 
information, see "Home Directory" in Windows Help. 


To view a logging application’s properties in Nsure Audit Report: 
1 In the Events pane, select an application. 
2 Right-click to bring up the shortcut menu. 
3 Select Properties. 


The Application Properties window displays the following information: 


Attribute Description 


Application Identifier The name assigned to the current application. 


The Application Identifier is also stored in the application’s certificate. The 
Application Identifier is part of the Component string for every event logged 
from the current application. For more information, see “Application 
Objects” on page 74. 


Application ID The four-digit hex value assigned to the current application. 


The Application ID is part of the Event ID for every event logged from the 
current application. All Application IDs are assigned through Novell 
Developer Support and are maintained in the Novell Nsure Audit central 
registry. For more information, see “Application Objects” on page 74. 


Description The application description provided in the application’s log schema. 


To view a logging application’s events in Nsure Audit Report: 
1 In the Events pane, expand the application’s folder. 


This exposes the application’s associated events. Only those events cataloged in the 
application’s log schema appear in this list. 


2 Right-click to bring up the shortcut menu. 
3 Select Properties. 


You can also double-click an event to bring up the Event Properties window. 
The Event Properties window displays the Event ID, description, and field information. 


For more information on event fields, see “Event Structure” on page 155. 
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Verifying Event Authenticity in Nsure Audit Report 


To provide non-repudiable logs, Novell Nsure Audit can digitally sign each event that is logged to 
the data store. To sign an event, the logging application or the Platform Agent hashes the event 
data and signs the hash with the Logging Application’s private key. The signature is then stored as 
part of the event. This signature allows the auditor or investigator to determine if an event has been 
changed. 


To allow auditors to determine if an event has been deleted or the sequence of events has been 
changed, Novell Nsure Audit can also chain its event signatures. That is, if event chaining is 
enabled, each event’s signature includes its own data as well as the signature from the previous 
event. 


Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on 
configuring this option, see “Logevent” on page 52. 


If event chaining is enabled, Nsure Audit Report can verify that all the events logged to the data 
store for each logging application are authentic; that is, it can validate the event signatures to 
determine if an application’s events have been tampered with, deleted, or if the sequence of events 
has been changed. 


Future iterations of Nsure Audit Report will allow you to verify individual events. 
To verify that an application’s logged events are authentic: 
1 Click Query > Verify Authenticity. 
Select the database where the events are logged. 
Specify the table where the events are logged. 


Select the logging application for the events you want to validate. 


a A WO N 


If the application is running on multiple systems, specify the IP address or host name of the 
Platform Agent that logged the events you want to verify in the Source Address field. 


6 Ifyou want to filter events, you can enter the component string for the events you want to 
validate in the Optional Filter field. 


7 Specify the path and filename for the Logging Application Certificate. 
Click Browse to locate the Logging Application Certificate in the directory tree. 
8 Click Verify. 


The following table provides more information on the Verify options. 


Option Description 

Database The database containing the events you want to verify. 
Table The table containing the events you want to verify. 
Application The logging application’s events you want to verify. 


In most cases, each logging application has its own certificate. This 
means that event signatures are typically application-specific. 
Therefore, NSure Audit Report verifies event signatures on a per 
application basis. 
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Option Description 


Source Address The IP address or host name of the Platform Agent that logged the 
events you want to verify. 


The only time you need to enter a source address is if the logging 
application is running on multiple systems. This allows Nsure Audit 
Report to identify which event chain to verify. 


Optional Filter If you only want to verify the events for a specific component or 
module within a logging application, you can enter the component's 
Component String. 


For more information on Component Strings, see “Event Structure” on 
page 155 and “Component Strings” on page 160. 


App Certificate The path and filename for the Logging Application Certificate used to 
sign the application’s events. 


The Logging Application Certificates for the eDirectory and NetWare 
instrumentations are available in the following directories: 


+ sys:\system\naudit (NetWare) 
+ \program files\novell\nsure audit\logschema\ (Windows) 
+ /opt/novell/naudit//logschema/ (Linux) 


+ /opt/NOVLnaudit/logschema/ (Solaris) 


For the locations of other logging application’s certificates, refer to the 
product documentation. 


After Nsure Audit Report verifies the application’s events, it returns the verification results. 


==| ¥erification of Authenticity 


ne is the first event in the database, but not the first event in the chain. Earlier events are missing. 127.0.0.1 6/10/2003 4:57:06 AM 6/10/20 
2 previous events are missing. 127.0.0.1 6/10/2003 4:57:06 AM ; 6/10/20 
The previous event is missing. 127.0.0.1 6/10/2003 4:57:06 AM 51 6/10/20 
Event has been tampered with. 127.0.0.1 6/10/2003 4:57:06 AM 60 6/10/20 


4996 records Peter's desktop (6/14/20 


If the event chain is authentic, Nsure Audit Report returns a message that the table’s events have 
been verified as authentic.If the event chain is not authentic, Nsure Audit Report lists each problem 
and its associated event. 


There following table provides an explanation for each signature error. 
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Signature Error 


Logging application restarted. This is the first 


Explanation 


The logging application shut down and restarted, so the event count field 


event after the restart, but it cannot be verified if 
events have been removed at the end of the 
previous chain. 


This is the first event in the database, but not the 
first event in the chain. Earlier events are missing. 


The previous event is missing. 


x previous events are missing. 


Event has been tampered with. 


(ClientMS) started again at 0; therefore, the event chain was broken. 


You can determine if the application restart was malicious or not by looking 
at the last event in the previous event chain. Logging applications send an 
event when they are unloaded, so if the last event in the previous event 
chain is an application unload event, you know that no events have been 
deleted. 


The current event is the first event in the database, however, the event 
count field (ClientMS) indicates this is not the first event in the chain. 


This message occurs if you have rolled or expired your data store. You can 
use the following methods to determine if any events are missing: 


+ If you expired your data store, you can look at the current event's time 
stamp to see if it occurred at the time you expired the data store. 


+ If you rolled the data store, you can look at the event count field for the 
last event in the archived data store to determine if it preceded the 
current event. 


The current event's signature does not include the signature from the 
previous event. 


Using the event count field (ClientMS), Nsure Audit Report can determine 
that only the previous event is missing. 


The current event’s signature does not include the signature from the 
previous event. 


Using the event count field (ClientMS), Nsure Audit Report can determine 
approximately how many previous events are missing. 


The current event’s signature is not valid. 


Although it includes the signature from the previous event, the event data 
in the signature does not match the current data. 


Working with Reports in Nsure Audit Report 


In Nsure Audit Report, the term “reports” refers specifically to Crystal Decisions Reports (*.rpt). 
Crystal Decisions Reports graphically summarize specific sets of log data in pie charts, bar charts, 


and so forth. 


Nsure Audit Report allows you to import and run Crystal Decisions Reports. Some logging 
applications might also include their own pre-defined reports. You do not need Crystal Reports to 
run reports; however, if you have Crystal Reports, you can customize the predefined reports or you 
can design your own reports and import those reports into Nsure Audit Report. 


Nsure Audit Report stores the report name and path in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Reports; however, the 
actual report file is stored in the directory structure. 


The following sections discuss working with reports in Nsure Audit Report: 


+ “Importing Reports” on page 126 
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+ “Deleting Reports” on page 126 

+ “Running Reports” on page 126 

¢ “Drilling Down on Report Data” on page 127 
+ “Exporting Reports” on page 127 

+ “Printing Reports” on page 127 


Importing Reports 
To import Crystal Decisions Reports: 

1 In the Reports pane, right-click to bring up the shortcut menu. 

2 Select Insert. 

3 In the Name field, enter the name you want to appear in the Reports pane. 

4 In the File field, enter the path and filename for the Crystal Decisions Report. 
Click Browse to locate the file in the directory tree. 

5 When finished, click OK. 
Nsure Audit Report adds the report to the Reports pane. 


Nsure Audit Report stores the report name and path in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Reports; however, the 
actual report file is stored in the directory structure. 


Deleting Reports 


To delete a Report in Nsure Audit Report: 
1 In the Reports pane, select the report you want to delete. 
2 Right-click to bring up the shortcut menu. 
3 Select Delete. 


Running Reports 
NOTE: You do not need Crystal Reports to run Crystal Decisions Reports in Nsure Audit Report. 
To run a report in Nsure Audit Report: 


1 In the Databases pane, select the database you want to run the report on. 


NOTE: If you do not select a database, the report runs against the default database. For more 
information, see “Defining Your Default Database and Table” on page 119. 


2 In the Reports pane, select the report you want to run. 
3 Right-click and select Run from the shortcut menu. 
Nsure Audit Report opens the report in the Report window. 
4 To update the report with live data, click the Refresh Data button Z on the Report toolbar. 
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Drilling Down on Report Data 


After you run a report, Nsure Audit Report allows you to drill down on a specific field value. A 
drill-down report returns all records that match the selected field value. 


To run a drill-down report, simply double-click the field value you want to query. 
TIP: The mouse pointer appears as a magnifying glass over drill-down fields. 


When you run a drill-down report, Nsure Audit Report returns all records that match the given field 
value. For example, if you drill down on a SourcelP field that has a value of 192.65.102.159, Nsure 
Audit Report returns all records that have a value of 192.65.102.159 in their SourcelP field. 


Exporting Reports 


Nsure Audit Report can export reports in a variety of formats including Adobe* Acrobat*, HTML, 
Microsoft* Excel, ODBC, Rich Text Format (RTF), Microsoft Word, text, comma-separated 
values (CSV), and XML. 


To export a report in Nsure Audit Report: 
1 Runa report. 
For step-by-step instructions, see “Running Reports” on page 126. 
2 Click File > Export. 


3 Select the file format that you want to export the report to (for example, .pdf, .txt, xml, and 
so forth). 


4 Select the export destination. 
5 Click OK. 
Nsure Audit Report brings up the Save as dialog box. 


6 Specify the export filename, then click Save. 


Nsure Audit Report exports the file in the designated format to the designated path and filename. 


Printing Reports 
To print a report to your default printer: 
1 Run a report. 
For step-by-step instructions, see “Running Reports” on page 126. 


2 Click the Print button on the Report toolbar. 


Working with Queries in Nsure Audit Report 


Nsure Audit Report uses queries to request information from MySQL and Oracle databases. All 
Nsure Audit Report queries are defined in SQL. Although you must be familiar with the SQL 
language to create SQL query statements, this is the most powerful and flexible query method. 


If you are unfamiliar with the SQL language, Nsure Audit Report includes a Query Expert to help 
you define basic query statements. You can also import existing query sets and run them within 
Nsure Audit Report. 


Generating Queries and Reports 127 


Nsure Audit Report stores all queries in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Queries . 


The following sections provide details on working with queries in Nsure Audit Report: 
+ “Importing Queries” on page 128 
+ “Creating Manual Queries” on page 110 
+ “Creating Queries Using the Query Expert” on page 129 
+ “Modifying and Deleting Saved Queries” on page 113 
+ “Custom Query Macros” on page 131 
+ “Running Queries” on page 132 
+ “Managing Query Results in Nsure Audit Report” on page 135 
+ “Exporting Query Results in Nsure Audit Report” on page 136 
+ “Printing Query Results in Nsure Audit Report” on page 137 


Importing Queries 


To import existing queries, you must save the queries in a text-based query file. The query file 
format requires that you enclose the title of each query in square brackets [ ]. The query statement 
is on the line following the title. If you want to enable the Translate Column Titles option, enter 
Translate=1 on the line following the query statement. Empty lines are not legal and any line that 
starts with a hash (#) is commented out. 


For information on the Translate Column Titles option, see “Manually Creating Queries” on 
page 128. 


The following is a sample query file. It contains two queries: All Connection Cleared events and 
All Directory Remove events. 


Query File 


All 'Connection Cleared' events] 
SOL=SELECT * FROM log WHERE eventid=655622 
Translate=1 
All 'Directory Remove' events] 

SOL=SELECT * FROM log WHERE eventid=655368 
Translate=1 


To import SQL queries in Nsure Audit Report: 
4 Click File > Import > Query Set. 
2 Select the query file in the directory tree, then click Open. 
The queries contained in the query file now appear in the Query pane. 


All imported queries are stored in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Queries . 


Manually Creating Queries 


All queries are stored in the Windows registry under 
HKEY CURRENT_USER Software WNovelliLog Report Application 1.OQueries . 
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To manually create a query in Nsure Audit Report: 
1 Click Query > Manual. 
You can also right-click in the Queries pane and select Insert from the quick menu. 
2 In the Name field, specify the name you want to use to refer to this query. 
3 Define the query statement in the Query window. 


4 Mark Translate Column Titles if you want Nsure Audit Report to label the query results with 
the field titles defined in the log schema. 


5 When finished, click OK. 


NOTE: When using mySQL, use the LIMIT statement to prevent an excessively large number of records from 
being returned. Even with a maximum value set in Nsure Audit Report, mySQL returns up to LIMIT records. 


The query now appears in the Queries pane. 


The following table provides further information on the Direct Query options. 


Query Option Description 

Name The name you want to use to refer to this query. 
The query name is listed in the Queries pane and it appears as the title in the query results 
window. 

Query The query statement. 
Queries are defined using the SQL query language. For basic information on SQL queries, see 
“Basic SQL Query Syntax” on page 168. 
If you want your query to dynamically build the FROM clause using the currently selected 
database and table, enter FROM $1 in the query statement. 

Translate Column Titles Mark Translate Column Titles if you want Nsure Audit Report to label the column headings with 


the field titles defined in the log schema. 


We recommend that you mark this option only for queries that return one type of event. If you 
mark this option for queries that return multiple types of events, Nsure Audit Report labels the 
column headings with the field titles from the last event returned in the query. 


IMPORTANT: For this option to work, you must import each applications log schema. For 
information, see “Importing Log Schemas” on page 121. 


Creating Queries Using the Query Expert 


IMPORTANT: To use the Query Expert, the account you use to log in to Windows XP must have rights to the 
Windows Home Directory. The Windows Home Directory is defined in the User Profiles. For more information, 
see Home Directory in Windows Help. 


If you are unfamiliar with the SQL query language, you can use the Query Expert to help you 
define basic database queries. The Query Expert simplifies the process of creating a query by 
allowing you to choose from lists of predefined parameters. The Query Expert then constructs the 
query statement from the parameters you select. 


Generating Queries and Reports 129 


Parameter 
Event 
matches 

is less than 
is more than 
is between 


Events 


Query Expert 


Name: | 


Event Timeperiod | 


[matches v | | y | 


Because the Query Expert can provide only a limited set of parameters, the queries it creates are 
very simple. However, it is the easiest way to create queries and it is capable of creating most base- 
level queries. 


To create a query using the Query Expert in Nsure Audit Report: 
1 Click Query > Expert. 
2 Specify the name you want to use to refer to this query in the Name field. 
3 Define the query parameters. 
3a In the Event menu, define the condition and the event. 
3b In the Timeperiod menu, select a time parameter. 


4 When finished, click OK. 


NOTE: When using mySQL, use the LIMIT statement to prevent an excessively large number of records from 
being returned. Even with a maximum value set in Nsure Audit Report, mySQL returns up to LIMIT records. 


The query now appears in the Queries pane. 


The following table provides further information on the Query Expert’s parameters. 


Description 


The query condition. 


The event parameter. 
The drop-down menu includes all the events for every application listed in the Events pane. 


If the application’s log schema provides event descriptions, Nsure Audit Report displays those 
descriptions in the Event list; however, the events are still sorted by their numeric Event ID. 
Therefore, the event descriptions are not listed in alphabetical order, but related events are 
grouped together. 
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Parameter Description 
Timeperiod The time parameter. 


The query returns only events that occurred in the designated time frame. 


The basic structure of query statements created with the Query Expert is as follows: 


SELECT * FROM table WHERE eventid condition event(s) AND clienttimestamp> Stime_parameter 


Shortcuts 


The Query Expert provides some quick and easy ways to create queries for all the events in a single 
application or for a single event. 


To create a query for all the events in a single application: 
1 Select an application in the Events pane. 
2 Right-click, then select Define Query. 
3 In the Timeperiod menu, select a time parameter. 
4 Click OK. 
To create a query for a single event: 
1 Expand one of the application folders in the Events pane. 
2 Select an event. 
3 Right-click, then select Define Query. 
4 In the Timeperiod menu, select a time parameter. 


5 Click OK. 


Modifying Queries 
To modify a Query in Nsure Audit Report: 
1 In the Queries pane, select the query you want to modify or delete. 
2 Right-click, then select Properties. 
3 Modify the query. 


For information on the query options, see “Creating Saved Queries” on page 111. 


Deleting Queries 


To delete a Query in Nsure Audit Report: 
41 In the Queries pane, select the query you want to delete. 


2 Right-click, then select Delete. 


Custom Query Macros 


Nsure Audit Report has some powerful custom macros that simplify data queries. The following 
table lists the custom query macros that can used in Nsure Audit Report. 
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IMPORTANT: All query macros must be preceded by a dollar sign ($). 


Function 


Now 


ThisMonth 


Today 


LastWeek 


Yesterday 
Date(mm-dd-yyyy) 
Hex(x) 
IP(address) 


Prompt(message) 


PromptDate(mm-dd- 
yyyy) 


PromptHex(hex_value) 


PromptIP(host_or_ip) 


Description 


The currently selected database and table. 


If you want your query to dynamically build the FROM clause using the 
currently selected database and table, enter FROM $1 in the query 
statement. 


The current date and time in local time as defined in the workstation’s 
Windows settings. 


The current month in local time as defined in the workstation’s Windows 
settings 


The current day in local time as defined in the workstation’s Windows 
settings. 


The previous week in local time as defined in the workstation’s Windows 
settings. 


Yesterday in local time as defined in the workstation’s Windows settings. 
The given date in local time. 

The decimal value of hex value x 

An IP address in IPv4 dotted address form, or in host name form. 


Prompts the user for a value. When a query containg this variable is run, 
the user is prompted to input a value based on text. 


For example, select * from $1 where text2=’ $Prompt (Please 
Provide the User Name for which you would like to 
query :)’;, prompts the user to provide a value based on the prompt 
provided by message. This value is then used in the query. 


Prompts the user for a date value, then converts it into seconds since 1970, 
making it consistent with the way dates are stored in the Nsure Audit 
database. The date must be in the form mm-dd-yyyy. 


Prompts the user for a hex value, and converts it to an integer value. 
Prompts the user for a host name or dot-formatted IP address, and 


converts it to an integer consistent to the way IP addresses are stored in 
the Nsure Audit database. 


The following sample query statement illustrates how the query macros can be used: 


SELECT * FROM $1 WHE 


RE eventid=’ $Prompt (Please provide the Event ID to 


query:)’ AND clienttimestamp>$WEEK 


Running Queries 


To run a query in Nsure Audit Report: 


1 Select the database you want to query. 


fa Click the Database field on the Status bar. 
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1b Select the default database from the list. 
2 Select the table you want to query. 

2a Click the Table field on the Status bar. 

2b Select the default table from the drop-down list, then press Enter. 
3 In the Queries pane, select the query you want to run. 


4 Right-click, then select Run. 


Nsure Audit Report returns the query results in a data table; rows represent individual records and 
columns represent fields within those records. You can click any of the column headings to sort 
the results by that field. 


El Nsure Audit Report - [All] 
B Eile Edit Query View Window Help 


iOpen ted GO eT Re 
| SourcelP | ClientTimestamp  [cientms|Servertimestamp | Component Eventi | Severity | Grouping | +] 


192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail imapd.nlm Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 4AM NetMail imapd.nim Authentication 131075 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail imapd.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131078 Notice 
192,108,102,142 6/7/2003 12:09:58 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail imapd.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail imapd.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail modwebd.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nlm Authentication 131099 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Authentication 131078 Notice 


192,108,102,143 6/7/2003 12:09:58 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131093 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131093 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131093 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131093 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131095 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131095 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131095 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131095 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131095 Info 


100000000000000000000000000000 
1$100000000000000000000000000000 


192.108.102.143 6/7/2003 12:09:59 AM 


6/7/2003 12:09:26 AM NetMail 


smtpd.nim Queue 131095 Info 


e 


[Ontario (6/12/2003 12:21:20 PM 


| llog [Ontario a 


If you marked the Translate Column Titles option when you defined the query, Nsure Audit Report 
labels the query results with the field titles defined in the log schema. Nsure Audit Report also 
displays each event’s field titles as you mouse over the event fields. 


NOTE: We recommend that you mark only the Translate Column Titles option for queries that return one type 
of event. If you mark this option for queries that return multiple types of events, Nsure Audit Report labels the 
column headings with the field titles from the last event returned in the query. For more information on the 
Translate Column Titles option, see “Manually Creating Queries” on page 128. 


Running Event Distributions 


Event Distributions tell you how many times each type of event has occurred for a given 
application. For example, if you run an Event Distribution for NetWare, NSure Audit Report 
returns the number of times each event listed in the NetWare log schema occurred. 


To run an Event Distribution in Nsure Audit Report: 


1 Select the database you want to query. 
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Counting Events 


a Click the Database field on the Status bar. 

1b Select the default database from the list. 
2 Select the table you want to query. 

2a Click the Table field on the Status bar. 

2b Select the default table from the drop-down list, then press Enter. 
3 In the Events pane, select an application. 


4 Right-click, then select Distribution. 


Nsure Audit Report returns the number of times each of the application’s events occurred in the 
selected database. 


==| Distribution of Events for App NetMail" Bec g 
count(Eventib) [2] 

Bad Password 10486 
Unhandled Request 188053 
Login 682838 
Max Bad Passwords 21 
Unknown User 30238 
Password Change 152 
Secret Change 42 
Account Created 139 
Account Disabled 3 
Message Received 208401 
Message Sent 55743 
Connection Blocked 157572 
Recipient Blocked 80990 
Message Relayed 10253 
Recipient Limit Reached 10913 
New Connection 1369010 
Spam Blocked 164 
Virus Blocked 1577 
Message forwarded 10013 zi 


(36 records ¡Ontario 6/14/2003 12:03:20 PM y 


The Distribution window lists the Event ID and how many times that Event ID occurred. To sort 
on the Event ID, click the Event ID column. To sort by the number of occurrences, click the Count 
column. 


NOTE: If the application's log schema provides event descriptions, Nsure Audit Report displays those 
descriptions in the Event ID column. However, when you sort on the Event ID column, events are sorted by 
their numeric Event ID, not by their description. Consequently, the event descriptions are not listed in 
alphabetical order, but related events are grouped together. 


If you want to know how many events have been logged for a given application, or the number of 
occurrences for a specific event, you can run an event count. An event count simply returns the 
number of events logged to the current database. 


To run an event count for a logging application in Nsure Audit Report: 
1 Select the database you want to query. 
1a Click the Database field on the Status bar. 
1b Select the default database from the list. 


2 Select the table you want to query. 
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2a Click the Table field on the Status bar. 

2b Select the default table from the drop-down list, then press Enter. 
3 Select an application in the Events pane. 
4 Right-click, then select Count. 


Nsure Audit Report returns the total number of events that have been logged for the selected 
application. 


To run an event count for a single event: 
1 Select the database you want to query. 
a Click the Database field on the Status bar. 
1b Select the default database from the list. 
2 Select the table you want to query. 
2a Click the Table field on the Status bar. 
2b Select the default table from the drop-down list, then press Enter. 
3 Expand an application folder in the Events pane. 
4 Select one of the application’s events. 
5 Right-click, then select Count. 


Nsure Audit Report returns the total occurrences of the selected event. 


Managing Query Results in Nsure Audit Report 


After it returns the query results, Nsure Audit Report allows you to further process the data by 
dynamically sorting records, running drill-down queries, copying specific records, and viewing 
event properties. 


Sorting Records 


To sort the query results by a specific field, click the corresponding field heading. Nsure Audit 
Report toggles between ascending and descending order. The first time you click, Nsure Audit 
Report sorts the records in ascending order. If you click again, it sorts the record in descending 
order, and so forth. 


Drilling Down on Query Data 


After you run a report, Nsure Audit Report allows you to drill down on a specific field value. A 
drill-down report returns all records that match the selected field value. 


To run a drill-down query: 
1 Position your mouse pointer over the field value you want to query. 
2 Right-click, then select Drill-down. 


Nsure Audit Report returns all records that match the selected field value. For example, if you 
drill-down on a SourcelP field that has a value of 192.65.102.159, Nsure Audit Report returns all 
records that have a value of 192.65.102.159 in their SourcelP field. 
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Copying Records 
To copy specific records from the query results: 
4 Select the records you want to copy. 
da Shift-click to select contiguous records. 
1b Ctrl-click to select non-contiguous records. 
2 Right-click, then select Copy. 


You can also press Ctrl+C. 


The query data can be copied to the Windows Clipboard in raw format, it can have field delimiters, 
and it can include field headers. How information is copied to the Windows Clipboard is managed 
through the Clipboard settings in the Nsure Audit Report Options menu. For more information, see 
“Setting Default Options in Nsure Audit Report” on page 119. 

NOTE: If the Copy All if No Entries Selected option is marked in the Options menu, you can copy all the 
records in the query results window by not selecting any records and pressing Ctrl+C. 


Viewing Individual Records 
To view a specific a specific record’s properties: 
1 Select the record you want to view. 
2 Right-click, then select Properties. 


You can also double-click the record. 


Exporting Query Results in Nsure Audit Report 


Nsure Audit Report can export query results in the following formats: 
+ HTML (*.htm) 
+ Comma-separated values (*.csv) 
+ Text (tab-delimited) (*.txt) 
To export query results in Nsure Audit Report: 
1 Runa query. 
For step-by-step instructions, see “Running Queries” on page 132. 
2 Click File > Export. 
3 In the Export Results dialog box, define the export file’s path and filename. 
4 Click the Save As Type drop-down list, then select the export format. 
5 Click Save. 


Exporting Specific Records 
4 Select the records you want to export. 
ta Shift-click to select contiguous records. 
1b Ctrl-click to select non-contiguous records. 


2 Click File > Export. 
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Printing Query Results in Nsure Audit Report 


To print the query results to your default printer: 
1 Runa query. 
For step-by-step instructions, see “Running Queries” on page 132. 
2 Click File > Print. 


You can also right-click, then select Print. 


Printing Specific Records 
To print specific records from the query results: 
1 Select the records you want to print. 
1a Shift-click to select contiguous records. 
1b Ctrl-click to select non-contiguous records. 
2 Click File > Print. 


You can also right-click, then select Print. 


Working with Data Logged by the File Channel 


The File channel allows the logging server to log events directly to file, rather than logging to a 
database. The file channel can log a large number of events per second, but it cannot be queried 
using standard tools to extract data. 


To view data logged by the file channel: 
1 If your log file is in raw format, use the letrans utility to convert it to human-readable format. 
2 Open the log file in an application that supports delimited text files, such as Microsoft Excel. 


3 Use the log schema file for the application which logged the events to determine the contents 
of each column. Additional information on log schema files is contained in “How LSC Files 
Are Used” on page 162. 
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Security and Non-Repudiation 


Novell® Nsure™ Audit leverages digital certificates and signatures to ensure your log files are 
valid and non-repudiable. This section includes the information you need to authenticate your 
logging applications and validate your data store’s record of events. 


+ “Authenticating Logging Applications” on page 139 

+ “Signing Events” on page 141 

+ “Creating the Secure Logging Certificate” on page 142 

+ “Creating Logging Application Certificates” on page 143 
+ “Validating Certificates” on page 144 


Authenticating Logging Applications 


The Secure Logging Server uses digital certificates and Application IDs to verify the identity of 
all its logging applications. In fact, the Secure Logging Server only accepts connections from 
applications that have a valid Logging Application Certificate and Application Identifier. This 
ensures that unknown or spoofed entities cannot submit events to the data store. 


NOTE: The Application Identifier is the name the logging application uses to identify itself to the logging server. 
The Application Identifier is stored in the application’s certificate and Application object. For more information, 
see “Application Objects” on page 74. 
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Logging Secure 
Application Logging 
Certificate Certificate 


. Secure 
Logging 
Application ee 


Platform 
Agent 


The basic authentication process is as follows: 
1. The logging application calls the Platform Agent. 
2. The Platform Agent submits the application’s certificate to the Secure Logging Server. 


3. The Secure Logging Server validates the certificate and verifies the Application Identifier 
stored in the certificate. 


+ A valid Logging Application Certificate must be signed with the Secure Logging Server’s 
own certificate. 


¢ A valid Application Identifier must be associated with an Application object in one of the 
Secure Logging Server’s supported Application containers. 


4. Ifthe certificate and the Application ID are valid, the Secure Logging Server accepts the 
logging application's connection. 


5. The logging application begins to log events. 


The Secure Logging Server’s certificate (the Secure Logging Certificate) is the logging system’s 
root certificate; that is, it is used to sign certificates for all the logging applications. Every 
instrumented application must have a certificate signed by the Secure Logging Server’s certificate. 


The Secure Logging Server and all logging applications ship with their own embedded certificates. 
Using these certificates, the Secure Logging Server is able to validate each logging application’s 
identity; however, the embedded certificates are not necessarily “secure” because the same 
certificates are distributed with every copy of the software. 
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If you want to further secure your logging system, you can use custom certificates generated with 
the AudCGen utility. To generate your own certificates, see “Creating the Secure Logging 
Certificate” on page 142 or “Creating Logging Application Certificates” on page 143. 


Signing Events 


Logging is an effective and useful way to determine what is happening on your system. The 
resulting data can be used for many administrative activities, including troubleshooting, usage 
characterizations (determining how people are using a system), and determining the cause (or 
responsible party) of an undesirable event. 


However, if you are trying to hold someone accountable for an undesirable event (such as 
accessing unauthorized information or sabotaging data), standard unprotected logs can be 
insufficient. This is because individuals can tamper with logs to delete any trace of their actions or 
to imply another cause for the event. Alternatively, an individual might simply claim that the logs 
have been tampered with, even if they haven't. Either case makes it difficult to hold an individual 
accountable for an event, especially if the individual in question is a system administrator who has 
access to the logs or has the ability to generate counterfeit events. 


For this reason, any logging system that is used for forensic evidence must provide non- 
repudiation. In other words, the system must, at a minimum, be able to prove that logs have not 
been tampered with so that a clear tie to the responsible party can be made. 


Nsure Audit achieves non-repudiation by digitally signing each event that is logged to the data 
store. To sign an event, the logging application or the Platform Agent hashes the event data and 
signs the hash with the Logging Application’s private key. The signature is then stored as part of 
the event. This signature allows the auditor or investigator to determine if an event has been 
changed. To validate an event, the signature process is simply repeated and the two signatures are 
compared. If the signatures match, the event is valid; if not, the event has been tampered with. 


To allow auditors to determine if an event has been deleted or if the sequence of events has been 
changed, Nsure Audit can chain its event signatures. That is, if event chaining is enabled, each 
event’s signature includes its own data as well as the signature from the previous event. To validate 
the event chain, all the logged events for a single application are re-signed and the event signatures 
are compared. If an event has been deleted or the sequence of events has been changed, the 
signatures in the chain will not match. 


NOTE: Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on 
configuring this option, see “Logevent” on page 52. For information on validating events in Nsure Audit Report, 
see “Verifying Event Authenticity in Nsure Audit Report” on page 123. 


Using digital signatures and event chaining, auditors can prove with certainty that specific events 
did in fact occur. If a log includes the events and the events’ digital signatures confirm that the log 
has not been modified, that log can be used as non-repudiable forensic evidence in disciplinary or 
legal proceedings. 


For example, let’s say that an employee (Joe) has been accused of insider trading. To prove this 
charge, the company must be able to provide evidence that Joe accessed financial information that 
then influenced his stock trades. The investigator audits the logs to determine if and when Joe 
accessed the financial information. The log events show that Joe did indeed access the financial 
information before making the stock trades in question. If Joe denies the allegation, the 
investigator can show that digital signatures have been used, that the signatures on the events are 
valid, and that the logged events indicate that Joe performed the action. 
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Creating the Secure Logging Certificate 


In the current iteration of Novell Nsure Audit, the Secure Logging Certificate is the system’s 
Certificate Authority (CA); that is, it is the trusted, root certificate that is used to validate all other 
certificates. Therefore, the Secure Logging Certificate is self-signed and it is used to sign all 
Logging Application Certificates. 


NOTE: Future iterations will be able to use secure certificates from an external CA. 


To generate a Secure Logging Certificate, enter the following command at the command prompt: 


audcgen -cert: filenam pkey: filename [-f] [-bits:number] [-serial:number] -ss 


The following table reviews each of the command parameters: 


Parameter Description 
-cert: filename The output path and filename for the Secure Logging 
Certificate. 


The default path and filename is \cacert.pem . 


-pkey: filename The output path and filename for the Secure Logging 
Certificate’s private key. 


The default path and filename is \capkey.pem . 
[-f] Force overwrite. 


AudCGen overwrites any existing certificates or private keys of 
the same name (for example, cacert.pem or capkey.pem) in the 
output directory. 


This parameter is optional. 


If you do not use the -f parameter and there is an existing file, 
AudCGen aborts creation of the certificate. 


[-bits: number] The number of bits for the certificate. 


The default is 512; however, Nsure Audit can handle 
certificates up to 1472 bits. The Platform Agent rejects 
certificates larger than 1472 bits. 


[-serial: number] This parameter assigns a serial number to the current 
certificate. You can use this option to keep track of your 
system’s certificates. 


This parameter is optional. 


-SS Self-sign. 


AudCGen generates a self-signed CA certificate and key. 


The following is a sample command to create a Secure Logging Certificate: 


audcgen -cert:c:\cacert.pem -pkey:c:\capkey.pem -f —bits:512 -serial:12345 -ss 
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Configuring the Secure Logging Server to Use a Custom Certificate 


To enable the Secure Logging Server to use a custom certificate and private key, you must 
configure the Secure Logging Certificate File and Secure PrivateKey File attributes on the 
Logging Server object. For more information, see “Logging Server Objects” on page 55. 


Creating Logging Application Certificates 


To generate a Logging Application Certificate, enter the following command at the command 
prompt: 


audcgen -cert:filenam pkey: filename [-f] [-bits:number] [-serial:number] -appcert: filename 
-apppkey: filename -app:Application_Identifier 


The following table reviews each of the command parameters: 


Parameter Description 


-cert : filename The path and filename to the Secure Logging Certificate that 
AudCGen uses to sign the Logging Application Certificate. 


The default path and filename is \cacert.pem . 


-pkey: filename The path and filename to the Secure Logging Certificate's 
private key. 


The default path and filename is \capkey.pem . 


[-f] Force overwrite. 


AudCGen overwrites any existing certificates or private keys of 
the same name (for example, appcert.pem or apppkey.pem) in 
the output directory. 


This parameter is optional. 


If you do not use the -f parameter and there is an existing file, 
AudCGen aborts creation of the certificate. 


[-bits:number] The number of bits for the certificate. 


The default is 512; however, Nsure Audit can handle 
certificates up to 1472 bits. 


[-serial: number] This parameter assigns a serial number to the current 
certificate. You can use this option to keep track of your 
system’s certificates. 


This parameter is optional. 


-appcert: filename The output path and filename for the Logging Application 
Certificate. 


The default path and filename is /appcert.pem . 


apppkey: filenam The output path and filename for the Logging Application 
Certificate. 


The default path and filename is /apppkey.pem . 
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Parameter Description 
-app:Application_Identifier The logging application’s Application Identifier. 


This value must match the Application Identifier stored the 
logging application’s Application object. 


The following is a sample command to create a Logging Application Certificate for the Novell 
eDirectory™ Instrumentation: 


audcgen -cert:c:\cacert.pem -pkey:c:\capkey.pem -f -bits:512 -serial:12345 
-appcert:c:\appcert.pem -apppkey:c:\apppkey.pem -app:eDirInst 


Enabling Logging Applications to Use Custom Certificates 


The process of enabling a logging application to use a custom Logging Application Certificate can 
vary per application. Please refer to the logging application’s documentation. 


To enable the eDirectory Instrumentation to use a custom Logging Application Certificate, the 
path and filename for the certificate and private key files must be as follows: 


Platform Certificate Path and Filename PrivateKey Path and Filename 
NetWare® \system\dsicert.pem \system\dsipkey.pem 

Windows \windows_directory\dsicert.pem \windows_directory\dsipkey.pem 
Linux and Solaris /etc/dsicert.pem /etc/dsipkey.pem 


The NetWare Instrumentation requires \system\nwicert.pem and \system\nwipkey.pem . 


The NAudit Instrumentation uses the Secure Logging Certificate and private key configured on 
the Logging Server object. 


Validating Certificates 
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In the Nsure auditing system, all certificates must be signed by the Secure Logging Certificate and 
they must contain an Application Identifier. 


To determine if a certificate is valid, enter the following command: 


audcgen -cert: filenam v -appcert:target_certificate 


The following table reviews each of the command parameters: 


Parameter Description 


-cert: filename The path and filename for the Secure Logging Certificate that 
AudCGen uses to validate the certificate. 


The default path and filename is /cacert.pem . 
-v Validate. 


AudCGen validates the certificate designated in the -appcert 
parameter. 


Novell Nsure Audit 1.0.2 Administration Guide 


Parameter Description 


appcert: filenam The path and filename for the Logging Application Certificate to 
validate. 


The following is a sample command to validate the Logging Application Certificate for the 


eDirectory Instrumentation: 


audcgen -cert:c:\cacert.pem -v -appcert:c:\windows\dsicert.pem 
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Troubleshooting NSure Audit 


This section reviews the common issues you might encounter in Novell® Nsure™ Audit or its 
associated utilities. It also covers how to uninstall Novell Nsure Audit. 


+ 


+ 


+ 


+ 


“Common Issues” on page 147 

“Verifying the Secure Logging Server Configuration” on page 152 

“Using the NetWare Instrumentation with Anti-Virus Products” on page 152 
“Uninstalling Novell Nsure Audit” on page 152 


Common Issues 


This section lists common issues you might encounter with Novell Nsure Audit. These include: 


+ 


+ 


+ 


“Secure Logging Server Does Not Load” on page 147 

“Events Are Not Being Logged” on page 148 

“Notifications Are Not Being Executed” on page 150 

“Volume Quickly Runs Out of Disk Space” on page 150 

“The Host Running the Platform Agent is Running Out of Memory” on page 151 
“Nsure Audit MySQL Returns a Cannot Open File Error” on page 151 

“MySQL on Linux Returns a Socket Connection Error” on page 151 

“Oracle on Linux Causes a Cannot Initialize the Logging Subsystem Error” on page 151 


“Nsure Audit Events Sent During Initialization are Not Logged to the Data Store” on page 151 


Secure Logging Server Does Not Load 


If the Secure Logging Server does not load, check the log for any errors that occurred during 
startup. 


+ 


+ 


+ 


On NetWare®, check the console log (4.x/5.x) or logger screen (6.x) for any errors during 
load. 


On Windows, check the \nproduct.log file for any errors that were logged during startup. 


On Linux and Solaris, check the screen for any errors that were printed during load. 


The following table reviews the problems that might prevent the Secure Logging Server from 
loading. 
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Cause 


The driver for the default log channel could not 
be loaded/Could not initialize logging subsystem 


Could not authenticate to MDB. 


Not enough memory 


The server cannot log in to the database. 


Events Are Not Being Logged 


Explanation/Solution 


If this is the case, the Secure Logging Server will abort loading. This is done 
to ensure that the administrator is aware of this potentially serious condition. 


Solution 


Check the error message and fix the indicated problem. For example, if the 
MySQL driver cannot connect to the MySQL server, load the MySQL server. 


This error occurs if the Secure Logging Server cannot successfully initialize 
the MDB interface or if the host is not configured to run the Secure Logging 
Server. MDB is the directory interface used by Nsure Audit. For more 
information, see “Program Files” on page 191. 


Solution 
+ Ensure that eDirectory is working properly on the host. 


+ Configure the host to run the Secure Logging Server. 


During startup, the Secure Logging Server allocates memory for its own 
operation and for the event cache. If this memory cannot be allocated, the 
Secure Logging Server will terminate. 


Solution 


+ Check your Secure Logging Server configuration and adjust the cache 
settings accordingly. 


+ Unload unneeded modules loaded during startup. 
The Secure Logging Server cannot log in to the data store. 
Solution 


Ensure that your MySQL password is correct. Try logging into the MySQL 
monitor using the exact settings that are configured on the MySQL channel. 
For example if the MySQL server IP address is 151.155.167.249, the 
surname is auditusr, and the password is auditpwd, log in to the MySQL 
monitor with the following syntax: 


mysql -h 151.155.167.249 -u auditusr -p 


If you cannot log in, then the MySQL rights are probably not set up correctly. 


The following table reviews the problems that might prevent events from being logged. 
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Cause 


The logging application is logging events to 
cache 


A component is misconfigured 


A component is misconfigured continued 


Explanation/Solution 


If a logging application loads the Platform Agent while the Secure Logging 
Server is not, or not yet, loaded, its events will be logged to the Platform 
Agent’s Disconnected Mode Cache. 


By default, the Platform Agent tries to reconnect to the Secure Logging 
Server only every ten minutes. The Logging Cache Module, on the other 
hand, tries to upload its cached files to the Secure Logging Server every two 
minutes. 


Solution 
Wait for the Platform Agent to reconnect to the Secure Logging Server. 


For information on changing the Platform Agent's reconnect interval, see 
“Logevent” on page 52. 


If you don't see the events after the configured upload interval, verify that 
your configuration is correct. 


There can be a misconfiguration on the Platform Agent or the Secure 
Logging Server that prevents events from being logged. 


Solution 


+ On the Platform Agent, verify that the LogHost specified in the logevent 
file points to the intended server. For information on configuring the 
Platform Agent’s LogHost parameter, see “Logevent” on page 52. 


+ Verify that the computer where the platform agent is running can actually 
reach the loghost via TCP/IP. (A ping will quickly tell.) 


+ Ifthe logging application logs only debug level events, check whether the 
LogDebug option is set to Never, in which case the Platform Agent will 
not send debug level events to the server. For information on configuring 
the Platform Agent’s LogDebug parameter, see “Logevent” on page 52. 


+ Ifthe logging application and Secure Logging Server are using custom 
certificates, make sure that the Logging Application Certificate has been 
signed with the Secure Logging Certificate. For more information, see 
Chapter 11, “Security and Non-Repudiation,” on page 139. 


If a single application is not logging events, 


+ Make sure that the application has an Application object in one of the 
Secure Logging Server’s supported Application containers. For more 
information on Application objects, see Chapter 7, “Managing 
Applications that Log to Nsure Audit,” on page 73. 


+ Verify that the Application Identifier property in the Application object 
matches the Application Identifier stored in the logging application’s 
certificate. For information on Application Identifiers, see “Application 
Objects” on page 74. 


+ Ifyou recently created an Application object, you must restart the logging 
server to load the Application object’s configuration. For information on 
restarting the logging server, see “Secure Logging Server Startup 
Commands” on page 182. 


+ Make sure that the Application container where your Application object is 
located is included in the logging server's list of supported Application 
containers. For information on the logging server’s Application container 
property, see “Logging Server Objects” on page 55. 
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Notifications Are Not Being Executed 


The following table reviews the problems that might prevent notifications from being executed. 


Cause 


A component is misconfigured. 


Explanation/Solution 


There can be a misconfiguration on the Platform Agent or the Secure 
Logging Server that prevents events from being logged. 


Solution 


+ Make sure that the Notification container where your Notification Filter 
object is located is included in the logging server's list of supported 
Notification containers. For information on the logging server’s 
Notification container property, see “Logging Server Objects” on 
page 55. 


+ Ensure that the Notification object has a notification channel. For more 
information on the Notification Channels property, see “Notification 
Filters” on page 100. 


+ Check the console or the startup log to determine if the driver for the 
notification channel is being loaded. 


¢ Verify that the Notification Filter is configured to select the events you 
want to trigger the notification. 


Volume Quickly Runs Out of Disk Space 


The following table reviews the problems that might cause your data store volume to fill up 


quickly. 


Cause 


You aren't cycling the data store. 


You are logging ubiquitous events. 


The data store volume is too small to 


accommodate your logging system traffic. 


Explanation/Solution 


Implement the available log-management functions. 


+ Configure the File Channel object to roll and purge logs. For more 
information, see “File Channel Object” on page 82. 


+ Configure the MySQL Channel object to expire the database. For more 
information, see “MySQL Channel Object” on page 86. 


Review your file system, eDirectory, and NetWare event settings on the 
NCP Server object and possibly disable some often-occurring events to 
avoid filling up your disk subsystem too quickly. 


The space you need for your database depends on a number of factors 
which include, but are not limited to, how many events per second you are 
storing and how long you want to keep the data. 


To determine the required volume size for your logging system, log the 
desired events for about an hour during your host's peak utilization. Use the 
consumed disk space as a basis to calculate your logging system's required 
volume sizes. 


For some general statistics on MySQL data stores, a logging system that 
generates around 80 events per second with an average event size of 80 
bytes will consume approximately 500 MB of disk space for the database 
table and 150 MB for the index in a 24-hour period. 
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The Host Running the Platform Agent is Running Out of Memory 


The following table reviews the problems that might cause the host running the Platform Agent to 
run out of memory. 


Cause Explanation/Solution 


The Disconnected Mode Cache has run out of When the Secure Logging Server is not available, the Platform Agent's 

disk space. Logging Cache module writes incoming events to the Disconnected Mode 
Cache on disk. If the Disconnected Mode Cache runs out of disk space, the 
Logging Cache module falls back to memory. 


The Disconnected Mode Cache and data store If you are running the eDirectory Instrumentation or the NetWare 

are on the same volume. Instrumentation on the same host as the Secure Logging Server, you should 
ensure that the Platform Agent’s Disconnected Mode Cache and the Secure 
Logging Server’s data store are not on the same volume. 


Otherwise, if the volume fills up, you will have a total logging failure. The 
Platform Agent will have no room for the Disconnected Mode Cache and the 
Secure Logging Server will have no place to log events. 


Nsure Audit MySQL Returns a Cannot Open File Error 


If the MySQL database returns error number 145, Cannot Open File, you might need to repair the 
MySQL database. See Appendix B, “Using MySQL with Nsure Audit,” on page 165 for details on 
accessing the MySQL documentation to perform this procedure. 


MySQL on Linux Returns a Socket Connection Error 


If the MySQL database on Linux returns the following error message: 


Can't connect to local MySQL server through socket '/temp/mysql.sock' (2) 2002 


Open /etc/my.cnf in a text editor and change the socket path to /tmp/mysql.sock . 


Oracle on Linux Causes a Cannot Initialize the Logging Subsystem Error 


If you are using Oracle, and you receive a “cannot initialize the logging subsystem” error when 
loading the Secure Logging Server on Linux, make sure you have set the environment variable 
contained in step 3 of “Configuring the Database” on page 175. 


Nsure Audit Events Sent During Initialization are Not Logged to the Data Store 


During initialization, several events are sent to the Secure Logging Server by Nsure Audit. These 
events are not reported by platform agents, and are not intended to be logged to the datastore. 


This can be confusing, as the Secure Logging Server console might show these events as having 
occured, but they are not logged to the data store. Only events logged your platform agents are 
logged to the datastore. 


When troubleshooting your connection, make sure that you cause an event that will be reported by 
a platform agent. 
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Nsure Identity Manager 2 DR1 Update required to Use Nsure Audit 1.0.2 


If you are using Nsure Identity Manager 2 without the DR1 update, do not upgrade to Nsure Audit 
1.0.2 until you have applied the DR1 update. Without the DR1 update, your Identity Manager 
server might be unable to log events to Nsure Audit 1.0.2. 


Verifying the Secure Logging Server Configuration 
To verify the configuration used by the Secure Logging Server, review the Audit events logged to 
the data store. 


The NAudit Instrumentation logs an event every time the Secure Logging Server loads a Channel, 
Notification, or Application object. It also logs an event each time a Channel driver fails to load 
or there is a bad Heartbeat or Notification configuration. Therefore, by reviewing your system’s 
Audit the Auditor events, you can determine if your logging server is performing the way you 
expect. 


For a complete list of Audit the Auditor events, see the NAudit LSC File (http://www.novell.com/ 
documentation/lg/nsureaudit/html/naud_en.htm) 


To review the Audit the Auditor events, you can query the events in iManager or Nsure Audit 
Report. For more information, see “Defining Queries in ¡Manager” on page 109 or “Working with 
Queries in Nsure Audit Report” on page 127. 


Using the NetWare Instrumentation with Anti-Virus Products 


The NetWare Instrumentation, AuditNW, must be loaded any anti-virus product or the server will 
appear to hang and will have to be hard-reset. 


Uninstalling Novell Nsure Audit 


1 Launch Auditext at the server console. 
da On NetWare, enter sys: \system\auditext .nlm 
1b On Windows, enter \program files\novell\nsure audit\auditext.exe 
Ae On Linux, enter /opt /novell/naudit/auditext 
1d On Solaris, enter /opt /NOVLnaudit /auditext 
2 Specify your admin username and password. 
3 Select Remove Schema Extensions, then press Enter. 
AuditExt removes the Logging Services container and all of its objects. 


IMPORTANT: Nsure Audit objects located outside the Logging Services container must be manually 
deleted. 


4 Exit the AuditExt utility. 
5 Remove the Nsure Audit Program files. 
5a On NetWare, delete the following files and directories: 
+ — sys:\system\naudit\ 
+ auditagt.ncf 
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5b 


5c 


5d 


+ auditDS.nlm 

+  auditext.nlm 

+  auditNW.nlm 

¢  auditsvr.ncf 

+ Disconnected Mode Cache directory 
¢  Icache.nlm 

+  lengine.nlm 

+ channel drivers (lgd*.nlm) 
+ logevent.nlm 

+  logevent.cfg 

+ LSC files (*.Isc) 

+ mdb.nim 


For the location of these files and directories, see “Program Filenames and Directories” 
on page 193. 


On Windows: 


+ Click Start > Settings > Control Panel > Add or Remove Programs to launch the Add 
or Remove Programs wizard. 


+ Select Novell Nsure Audit and click Change/Remove. 
+ Inthe InstallShield Wizard, select Remove and click Next. 


+ Inthe confirmation dialog, click OK to remove Novell Nsure Audit and its installed 
components from your system. 


On Linux, enter the following: 

+  novell-AUDTlogserver-1.0.2-*.i586.rpm 
*  novell-AUDTplatformagent-1.0.2-*.i586.rpm 
*  novell-mdb-1.0-5.i386.rpm 

*  novell-AUDTedirinst-1.0.2-*.i586.rpm 
On Solaris, enter the following: 

+*+ pkgrm NOVLaudin 

+ pkgrm NOVLaudit 

+ pkgrm NOVLaudpa 

+ pkgrm NOVLaudpl 

+ pkgrm NOVLmdb 
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Log Events 


All events logged through Novell® Nsure™ Audit have a fixed set of fields. This section reviews 
event structure and its corollary information including event variables, application component 
strings, and log schema files. 


+ “Event Structure” on page 155 

+ “Event Variables” on page 159 

+ “Component Strings” on page 161 
+ “Log Schema Files” on page 162 


Event Structure 


All events logged through Nsure Audit have a standardized set of fields. This allows Nsure Audit 
to log events to a structured database and query events across all logging applications. 


The following diagram calls out the fields that make up a logged event. It also indicates the 
maximum size of each field. 


Group LogLevel IP Client Server 
component Evene ID (Severity) Address Timestamp Timestamp 
System 


(MANDATORY) 


SS ed Se a ee 


255 chrs 32-bit 32-bit 8-bit 32-bit 32-bit 32-bit 


= Numeric Numeric Numeric 


i i Lon Lon Lon MIME 
String Value (1) String Value (2) String Value (3) Value (1) Value (2) ari 43) Hint 
Payload 
ca AAA AS ee 
255 chrs 255 chrs 255 chrs 32-bit 32-bit 32-bit EE bit 
Target ee Originator ae Subtarget ee Data (Binary) 


——— Se a) 


255 chrs 32-bit 255 chrs 32-bit 255 chrs 32-bit 255 chrs 
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Event Field 


Component 


Component continued 


EventID 


GroupID 


The following table explains each event field. 


Description 


The component string is formatted like a DOS pathname, with a backslash ( \ ) separating 
component parts. 


For example: 
\eDirectory\Database\Lookup 
\iChain\Connection Manager\Authentication 
\NetMail\POP3\Authentication 


The first part of the component string is the Application Identifier. The Application Identifier is the 
string the logging application uses to identify itself to the logging server. The Application Identifier is 
stored in the application’s certificate and Application object. 


When the Secure Logging Server authenticates an application’s connection with the Platform Agent, 
it associates the Application Identifier with that connection. Thereafter, it automatically adds the 
Application Identifier to the component string for every event coming from that connection. 


For more information on application certificates and authentication, see Chapter 11, “Security and 
Non-Repudiation,” on page 139. 


The subsequent portions of the component string are defined by the application. Typically, they 
identify modules within the application, types of events, etc. 


The intent of the component string is to facilitate queries across various products and events. For 


example, using wildcard characters, you can search for all iChain® violations (\ichain\*\violations), 
all iChain events (\ichain\*), or violations from every logging application (*\violations). You can also 
use the component string to filter events event chains. See “Verifying Event Authenticity in Nsure 
Audit Report” on page 123. 


For a listing of the Nsure Audit, eDirectory™ and NetWare® component strings, see “Component 
Strings” on page 161. 


The EventID is comprised of two elements. 


The HiWord is the four-digit hex value assigned to the current application. All Application IDs are 
assigned through Novell Developer Support and are maintained in the Nsure Audit central registry. 
Before instrumenting a new application, developers should obtain an AppID through Novell 
Developer Support (http://developer.novell.com/devres/ss/resource.htm). 


The LoWord is the AppEventID assigned by the person instrumenting the application. Typically, 
these values are assigned in ascending order. 


For more information, see the Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 
An ID that can be used to identify related events. 


For example, the NetMail™ instrumentation of Nsure Audit uses this field to store the temporary 
filename assigned to each message as it passes through the message queue. By sorting on the 
Group ID, NetMail administrators can view all events that occurred as that particular message 
passed through the message queue. 
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Event Field Description 


Log Level (Severity) The log level is an indicator of the severity of the reported event. 
+ Emergency events cause the system to shut down. 
+ Alert events require immediate attention. 
+ Critical events might cause parts of the system to malfunction. 
+ Error events are errors that can be handled by the system. 
+ Warnings are negative events that do not represent a problem. 


+ Notices are positive or negative events that an administrator can use to understand or improve 
the use and operation of the current system. 


+ Info represents positive events of any importance. 
+ Debug events are used by support technicians or engineers to debug the current system. 
IP Address The IP address of the Platform Agent that logged the event. 


By default, Nsure Audit stores IP address values in network byte order. 
Client Timestamp The time the Platform Agent received the event from the logging application. 


ClientMS The event count field. 


When a logging application makes a connection to the Platform Agent, the Secure Logging Server 
begins counting the events the come over that connection. The count begins at O for the initial event 
and increments by one for every event. If the logging application is restarted, the event count is reset 
to 0. 


Nsure Audit Report uses this field to determine how many events are missing if the event signatures 
are not to valid. For more information, see “Verifying Event Authenticity in Nsure Audit Report” on 


page 123. 
Server Timestamp The time the logging server received the event. 
Text1 The value of this field depends upon the event. It can contain any text string up to 255 characters. 


The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 
and Text2 fields to identify the defined attribute and object for a given policy. For more information, 
see “CVR Channel Driver” on page 79. 


Text2 The value of this field depends upon the event. lt can contain any text string up to 255 characters. 


The Text2 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 
and Text2 fields to identify the defined attribute and object for a given policy. For more information, 
see “CVR Channel Driver” on page 79. 


Text3 The value of this field depends upon the event. It can contain any text string up to 255 characters. 
Value1 The value of this field depends upon the event. It can contain any numeric value up to 32 bits. 
Value2 The value of this field depends upon the event. It can contain any numeric value up to 32 bits. 
Value3 The value of this field depends upon the event. It can contain any numeric value up to 32 bits. 
Mime hint This field identifies the type of data contained in the Data field. 

Target This field captures the target of the event. 
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Event Field Description 


Target Type This field specifies which pre-defined format the target and originator are represented in. Defined 
values for this type are currently: 


+ 0: None 

+ 1: Slash Notation 
+ 2: Dot Notation 
+ 3:LDAP Notation 


Originator This field captures who or what caused the event to happen. 


Originator Type This field specifies which pre-defined format the target and originator are represented in. Defined 
values for this type are currently: 


+ 0: None 

+ 1: Slash Notation 
+ 2: Dot Notation 
+ 3:LDAP Notation 


Subtarget This field captures the sub-component of the target which was affected by the event. 
Data Size This field identifies the size of the data contained in the Data field. 
Data The value of this field depends upon the event. 


If an event has more data than can be stored in the String and Numeric Value fields, it is possible to 
store up to 3 KB of binary data in the Data field. 


Signature The event signature. 


Nsure Audit digitally signs each event that is logged to the data store. To sign an event, the logging 
application or the Platform Agent hashes the event data and signs the hash with the Logging 
Application’s private key. The signature is then stored as part of the event. This signature allows the 
auditor or investigator to determine if an event has been changed. 


If event chaining is enabled, each event’s signature includes its own data as well as the signature 
from the previous event. This allows auditors to determine if an event has been deleted or if the 
sequence of events has been changed. 


Event chaining is enabled in the Platform Agent's configuration file, logevent. For information on 
configuring this option, see “Logevent” on page 52. For information on validating events in Nsure 
Audit Report, see “Verifying Event Authenticity in Nsure Audit Report” on page 123. 


Event Variables 


Nsure Audit provides several variables that can be used to return specific information from an 
event. The syntax for using these variables is 


Sformat event_field 


The event_field variable references a specific field within a logged event. The format variable 
determines how the data from the event field is displayed. Using these two variables, you can call 
specific information from an event and manage how it is displayed. 


For example, event field R returns the IP address of the Platform Agent. Using different format 
variables, the IP address appears as follows: 
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$XR returns 1B043982 
SNR returns 453261698 
SiR returns 130.57.4.27 


The following tables lists the event_field and format variables. 


Event Field Variables 


Variables are constructed by specifying an $ character, followed by a two character code 
representing the variable format and value. For example: 


SEV 


Characters representing the format (F) can be one of the following: 


T - Time (UTC localized) 


D - Date (UTC localized) 
N - Number (32bit unsigned) 


n - Number (32bit signed) 


S - String i - IPv4 Internet Address (host 
order) 
X - Hexadecimal Number B - Boolean (Yes/No) 


R - RFC822 format date/time b - Boolean (True/False) 


| - IPv4 Internet Address 
(network order) 


Characters representing the value (V) can be one of the following: 


R - Source IP Address 
C - Platform Agent Date 
A - Audit Service Date 
B - Originator 


H - Originator Type 


U - Target 


V - Target Type 


Y - SubTarget O - Component 
1 - Numerical value 1 | - Event ID 

2 - Numerical value 2 L - Log Level 

3 - Numerical value 3 M - MIME Hint 
S - Text 1 X - Data Size 


To use the $S variable in the 
SMTP Channel object's 
Recipient field, this value must 
be an e-mail address. For more 
information, see “SMTP 
Channel Object” on page 91. 


T - Text 2 D - Data 


To use the $T variable in the 
SMTP Channel object’s 
Recipient field, this value must 
be an e-mail address. For more 
information, see “SMTP 
Channel Object” on page 91. 


F - Text 3 G - Grouping 
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SE - Description 


This variable returns the value of 
the Notification object’s 
Description field. The value is 
unique in that it is not provided 
by the logging application, but 
by the Notification object that 
directed the event to the current 
Channel driver. The Notification 
object’s description is sent with 
the event to the Channel driver. 
For more information on 
Notification object’s Description 
field, see “Application Objects” 
on page 74 or “Heartbeat 
Objects” on page 102. 


For example, an entry in your log schema file of $N1 would be replaced by the current value of 
the numerical value 1 field as a 32-bit unsigned integer. 


IMPORTANT: Event variables are case sensitive and all variable strings must be preceded by a dollar 
sign ($). 


Component Strings 


The first part of all events logged to Nsure Audit is the component string. The intent of the 
component string is to facilitate queries across various products and events. For example, using 
wildcard characters, you can search for all iChain violations (\ichain\*\violations), all iChain 
events (\ichain\*), or violations from every logging application (*\violations). 


Each logging application has its own set of components. The following sections list the 
components strings for Novell eDirectory, NetWare, and “audit the auditor” events. For 
information on other component strings, refer to the logging application’s product documentation. 


eDirectory Component Strings 


The components for the eDirectory Instrumentation are as follows: 


Object Attribute 
Debug Misc 

Agent Connection 
Bindery Schema 
Partition Replica 
Meta 


For more information on the eDirectory Instrumentation, see “eDirectory Events” on page 71. 


These components are combined with the eDirectory Application Identifier (eDirInst) to form the 
component strings for all eDirectory events. For example, 


eDirInst\Object 
eDirelInst\Replica 
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NetWare Component Strings 


The components for the NetWare Instrumentation are as follows: 


File Directory 
Trustee Volume 
Module Network 
Connection Alert 
Server 


These components are combined with the NetWare Application Identifier (NetWarelnst) to form 
the component strings for all NetWare events. For example, 


NetWarelnst\File 
NetWarelnst\Network 


Audit the Auditor Component Strings 


The components for NAudit Instrumentation are as follows: 


Generic License 
Authentication Log 

Channel Configuration 
Heartbeat Engine 


These components are combined with the Novell Nsure Audit Application Identifier 
(NsureAuditInst) to form the component strings for all Novell Nsure Audit events. For example, 


NsureAuditInst\Channel 
NsureAuditInst\Log 


Log Schema Files 


Log Schema (LSC) files catalog the events that can be logged for a given application. They also 
provide event descriptions and field titles, although this is optional. For information on creating 
Log Schema files, see the Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 


Nsure Audit stores LSC files as attributes in their respective Application object. (English LSC files 
are stored under the NAuditAppSchemaEn attribute.) Typically, logging applications use the 
AuditExt utility to automatically create their associated Application object and to populate the 
Application object’s log schema attribute; however, if you modify or localize an LSC file, you can 
manually add it to the Application object using the AuditExt utility. For more information on this 
procedure, see “Using AuditExt to Add LSC Files to Application Objects” on page 186. 


+ “How LSC Files Are Used” on page 162 
+ “Localized Log Schema Files” on page 163 
+ “Adding LSC Files to Application Objects” on page 163 
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How LSC Files Are Used 


Queries 


The information stored in the log schema files—specifically Event IDs, Group IDs, Text and 
Numeric field vales—is useful in defining query statements, Notification Filters, and Heartbeat 
Notifications. For example, if you want to receive a notification anytime a server goes down, you 
must first look up the Event ID for the Server Down event in the NetWare log schema. You can 
then configure a Notification Filter that selects events with an Event ID of 000A0103. 


The File and Syslog drivers use the log schemas to create localized, human readable log files. At 
startup, the File and Syslog channel drivers load each application’s log schema in memory. If a 
logging application has multiple language versions of its log schema, the drivers load the schema 
for the language designated in their respective Channel objects. The File and Syslog channel 
drivers then reference the log schemas to write localized event descriptions to their log files. 


NOTE: If the File and Syslog Channel objects reference the same language, the drivers independently load 
the log schema in their own memory. The only time the log schema is shared is between multiple instances of 
the same driver. For example, if you have two File channels configured to write Translated log files in English, 
the English log schema for each application is loaded only once. For more information, see “File Channel 
Driver” on page 82 and “Syslog Channel Driver” on page 94. 


iManager and Nsure Audit Report also reference the log schemas. They use the Field titles defined 
in the log schemas to label column headings and event fields in the query results. 


Step 2 of 2: Query results 


You may export and print results by clicking on the corresponding links below. 


Wayne's MySQL - all events 


Export Results | Printer Friendly 


SourcelP ClientTimestamp ClientMS ServerTimestamp Component EventID Severity Grouping Text1 

127.0.0.1 an 1, Er 0 gun 0, aa” Fred Sha Info 0 .«smtp.Channels.Logging Services 
A E id 
127.0.0.1 347 1 2003 g un omg eDirinst Add Value Info 0 .WRUST-JC. novell 
ios o gun de aa eDirinst © Add Value Info 0 [Root]. 

127.0.0.1 Jun 0 Jun 12, 2003 eDirinst Add Value Info 0 [Root]. 

127.0.0.1 3 | g A eDirinst Add Value Info 0 [Root]. 

oi 00 ie eDirinst Add Value Info 0 [Root]. 

127.0.0.1 ee g Jun 12, 2003  eDirlnst Delete Value Info 0 .WRUST-JC, novell 


4 


iManager and Nsure Audit Report manually import log schemas from the Application objects. For 
information on importing and viewing log schema files, see “Importing and Viewing Log Events 
in iManager” on page 108 and “Importing and Viewing Events in Nsure Audit Report” on 

page 121. 
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Localized Log Schema Files 


Although there is only one log schema for a given application, there can be many localized 
versions of the Log Schema file. Nsure Audit stores each language version of the LSC file as an 
attribute in its respective Application object. For example, English LSC files are stored under the 
NAuditAppSchemaEn attribute; German LSC files are stored under the NAuditAppSchemaDe 
attribute; and so forth. 


IMPORTANT: Each language version of the LSC file must be added to the Application object before it can be 
used by the Syslog and File channel drivers to create localized log files. 


Nsure Audit Report and ¡Manager only support one language version of each log schema file at a 
time. 


Adding LSC Files to Application Objects 


During installation, logging applications use the AuditExt utility to automatically create their 
associated Application objects and to populate the Application objects” log schema attribute. 
However, if you modify or localize a LSC file, you can manually add it to the Application object 
using the AuditExt utility at the server console. 


To add a log schema to an Application object using AuditExt, enter the following command at the 
server console: 


auditext -lsc -u:usernam p:password "-a:Application_object" -f:LSC_file -l:langquage 
For example, 
auditext -lsc -u:admin -p:argl "-a:eDirectory Instrumentation" "-f:ltempledir.lsc" -l:en 


If the path to the LSC file contains spaces, enclose the path and the -f flag in quotation marks. For 
example, "-f:c:/my files/myapp.lsc". 


AuditExt requires that the first line of all LSC files is formatted as follows: 
+"object_name”Application_ID"Application_Identifier” language_identifier 


Each parameter is explained below. 


Parameter Description 

object_name The string that is used as the name of the Application 
object. 

Application_ID The four-digit hex value assigned to the current 
application. 


All Application IDs are assigned through Novell Developer 
Support and are maintained in the Nsure Audit central 
registry. 


Application_Identifier The name the logging application uses to identify itself to 
the logging server. 


The Application Identifier is stored in the application’s 
certificate. 
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Parameter 


language_identifier 


Description 


A two character code for the current LSC file’s language. 


The following is a list of language codes: 


+ EN = English 
+ ES = Spanish 
+ FR = French 


+ DE = German 
+ IT = Italian 
+ PT = Portuguese 


« RU = Russian 


If no path is given, AuditExt looks for the log schema files in the working directory of AuditExt. 
By default, schema log files are contained following directories: 


Operating System 
NetWare 
Windows 

Linux 


Solaris 
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Directory 

sys:\system\naudit\* Isc 

\program files\novell\nsure audit\logschema\*.Isc 
/opt/novell/naudit/logschema/*.Isc 


/opt/NOVLnaudit/logschema/*.Isc 


Using MySQL with Nsure Audit 


This section provides basic information that helps you use MySQL with Novell® Nsure™ Audit. 


+ 


+ 


+ 


“Creating An Nsure Audit Database and User” on page 166 
“Basic Operations in MySQL” on page 166 

“SQL Expiration Command Variables” on page 167 

“Basic SQL Query Syntax” on page 168 

“Optimizing Your Queries” on page 171 

“MySQL Miscellaneous Functions” on page 172 

“Sample Query” on page 170 


Refer to your MySQL manual for information on the following: 


+ 


+ 


+ 


+ 


+ 


How to install MySQL 

How to create users and grant access rights within MySQL 
How to optimize MySQL 

Complex or Advanced Query syntax 


Repairing a MySQL database 


NOTE: All of the current MySQL distributions are available from the Downloads page (http://www.mysql.com/ 
downloads/index.html) at the MySQL Web site. The MySQL Reference Manual is available from the 
Documentation page (http://www.mysql.com/documentation/index.html). 


Installing MySQL 


The following instructions provide detailed information on installing MySQL on all supported 
platforms: 


+ 


NetWare 6 and 6.5: Installing MySQL on NetWare (http://dev.mysql.com/doc/mysql/en/ 
NetWare_installation.html) 


Windows 2000 Server and Windows 2003 Server: Installing MySQL on Windows (http:// 
dev.mysql.com/doc/mysql/en/Windows_installation.html) 


Linux: Installing MySQL on Linux (http://dev.mysql.com/doc/mysql/en/Linux-RPM.html) 


Solaris: Installing MySQL on Other Unix-Like Systems (http://dev.mysql.com/doc/mysql/ 
en/Installing_binary.html) 


After you have completed the MySQL installation, continue to “Creating An Nsure Audit 
Database and User” on page 166 
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Creating An Nsure Audit Database and User 


After your MySQL database is installed and running, You must create an Nsure Audit database 
and user with the necessary privileges. The required table in this database is created automatically 
the first time the Secure Logging Server connects. 


To Create a database and user: 
1 launch MySQL Monitor. 


MySQL Monitor is launched by running mysql -u username -p from the NetWare 
terminal or from the mysql folder, depending on the platform. If this is a new installation of 
MySQL, use the default user, root. 


2 Enter the following command in MySQL Monitor to create the Nsure Audit database: 


CREATE DATABASE naudit; 


3 Enter the following command in MySQL Monitor to create the Nsure Audit user: 


GRANT ALL PRIVILEGES ON naudit.* TO auditusr@'%s' IDENTIFIED BY 'auditpwd' 
WITH GRANT OPTION; 


NOTE: The @'%' after the username enables remote access for this account. You can omit this if the 
MySQL database is located on the same server as the Secure Logging Server. The default password is 
auditpwd, though we strongly suggest changing this password from the default in a production 
environment. 


4 Enter the following command in MySQL Monitor to flush the MySQL privileges: 


FLUSH PRIVILEGES; 


5 Record the following information: 
+ JP address or DNS name of your MySQL server. 
+ Nsure Audit database name. 
+ Nsure Audit username and password. 


This information is required to configure the log channel object in eDirectory used by the 
Secure Logging Server to connect to your MySQL server. 


6 Exit MySQL Monitor. 
MySQL is now configured for use by Nsure Audit. The necessary table structures are created 


automatically by Nsure Audit. 


Basic Operations in MySQL 


This section contains some basic information about MySQL, and is not intended to help you get 
started using MySQL with Nsure Audit. If the Audit database is not present, Nsure Audit creates 
it automatically. 


Creating a User 
Users in MySQL are created by granting rights. For example, if you grant a user rights to a 


database, that user is created. See “Creating An Nsure Audit Database and User” on page 166 for 
additional details. 
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Granting Access to a Database 


1 To create a local user, In MySQL Monitor, run 


GRANT ALL PRIVILEGES ON database.table TO username IDENTIFIED BY 


"some_pass' WITH 


GRANT OPTION; 


For example, grant all privileges on naudit.* to audituser grants the default audit user access 


to the default audit database. For additional information on privileges, see the MySQL 


documentation. 


4 To create a remote user (a user who can log in from anywhere), run 


GRANT ALL PRIVILEGES ON database.table TO username@’%’ IDENTIFIED BY 


"some_pass' WITH 


GRANT OPTION; 


For example, grant all privileges on naudit.* to audituser@’%’ enables audituser to remotely 
access all tables in the naudit database. Optionally, the % wildcard could be replaced with a 
full or partial DNS name or IP address, for example, audituser@’%.novell.com’ allows access 


only from a DNS ent 
2 Run Flush Privileges 


ry resolving to the .novell.com domain. 


; to apply the changes. 


SQL Expiration Command Variables 


The following table lists the variables that can be used with expiration commands in the MySQL 
Channel object’s SQL Expiration Commands property. For information on the SQL Expiration 
Commands property, see “MySQL Channel Object” on page 86. 


IMPORTANT: SQL expiration command variables are case sensitive. 


IMPORTANT: All variable strings must be preceded by a dollar sign ($). 


Variable 

Novell Nsure Audit Cus 
T 

l 


e 


Date Formatting 


Y 


y 
M 


Description 
tom Variables 


Novell Nsure Audit’s default table schema. 


The table name defined in the MySQL Channel object configuration. 


The CREATE TABLE Options defined in the MySQL Channel object 
configuration. 


The date format can be tied together (for example, $Y$M$D). 
Year (four digit) 

Year (two digit) 

Month (two digit) 

Day (two digit) 

Hour (two digit) 

Minute (two digit) 

Second (two digit) 


Now. This value displays as yyyymmdd. 
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Sample SQL Expiration Command Script 


create table newtabl (ST) $Se;RENAME TABLE $1 TO 1$n, newtable TO $1 
This script does the following: 

1. Creates a new table using the CREATE TABLE Options. 

2. Renames the current table so it includes the date and time in decimal. 


3. Renames the new table with the default table name. 


Basic SQL Query Syntax 


All SQL queries use the Select command. The Select command retrieves the table rows (records) 
that match the given query statement. 


The basic Select command syntax is as follows: 


SELECT 


select_expression,... 

[FROM table_references 

WHERE where_definition] 

GROUP BY {unsigned_integer | col_name | formula} [ASC | DESC], seal 


HAVING where_definition] 


ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] ++...) 


LIMIT [offset,] rows | rows OFFSET offset] ] 


All keywords used must be given in exactly the order shown above. For example, a HAVING 
clause must come after any GROUP BY clause and before any ORDER BY clause. 


The following sections provide general information on each phrase in the Select syntax. For more 
specific information, see the MySQL Reference Manual (http://www.mysql.com/documentation/ 
index.html). 


select_expression 


Select_expression indicates the information you want to retrieve from the server. Each item is 
separated with a comma (, ). 


ALL is the default, meaning that all records are returned. 
The asterisk (*) retrieves all the columns in every table shown in the FROM clause. 
DISTINCT is a keyword that tells the query to filter out all duplicate records. 


The select_expression can also contain aggregate functions. Aggregate functions return a single 
value based upon another set of values. The most common aggregate functions include: 


+ AVG returns the average of all non-null values in the specified columns. 
+ COUNT counts the occurrences of non-null values in the specified columns. 


+ COUNT DISTINCT counts the occurrences of all unique, non-null values in the specified 
columns. 
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+ COUNT counts every record in the table. 
+ MAX returns the highest non-null value in the specified columns. 
+ MIN returns the lowest non-null value in the specified columns. 


+ SUM totals all non-null values in the specified columns. 


FROM Clause 


The FROM clause indicates the tables from which to retrieve rows. 


WHERE Clause 


The WHERE clause defines the search conditions. It provides most of the search conditions that 
filter unwanted data from the query. (The results of the WHERE clause can be further filtered by 


the HAVING clause.) 
The basic syntax for the where_definition is as follows: 


search_condition ::= 


{ [ NOT ] predicate | ( search_condition ) } 
{ { AND | OR } [ NOT ] { predicat | ( search_condition ) } ] 
} [ ,...n ] predicate ::= 
{ expression { = | <> |!-=]|>]|>2+]!> |< | <= |! < } expression 


string_expression [ NOT ] LIKE string_expression 


[ ESCAPE 'escape_character' ] 


expression [ NOT ] BETWEEN expression AND expression 


expression IS [ NOT ] NULL 


CONTAINS 
( { column | * } , 'contains_search_condition' ) 
FREETEXT ( { column | * } , 'freetext_string' ) 
expression [ NOT ] IN ( subquery | expression [ ,...n ] ) 
expression {= | <> | !=| >| >=] !>]|<]<=] !<>) 


{ ALL | SOME | ANY} ( subquery ) 


EXISTS ( subquery ) 


GROUP BY Clause 


The GROUP BY clause is only needed in queries that utilize aggregate functions. The GROUP 
BY clause is used to group output rows. 


HAVING Clause 
The HAVING clause adds search conditions on the result of the GROUP BY clause. 


HAVING works very much like the WHERE clause and uses all the same search conditions. 
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ORDER BY Clause 


The ORDER BY clause is used to sort the query results. The query results can be sorted in 
ascending (ASC) or descending (DESC) order. Ascending order is the default. 


LIMIT Clause 


The LIMIT clause takes one or two arguments to limit the number of rows returned. If it has one 
argument, it designates the maximum number of rows to return. If it has two arguments, the first 
is the offset and the second is the maximum number of rows to return. 


If the second argument is —1, MySQL returns all rows from the specified offset until the end. For 
example, to return from row 2 to the end, use this command: 


SELECT f1 FROM t1 LIMIT 1,-1 


Sample Query 


The following is a NetMail™ query that lists the top ten bad password users over the past hour: 


mysql> Select Textl 'Username' , Count (Text1) 'Total Attempts', Count (Distinct Text2) 'Unique 
Passwords', Count (Distinct Valuel) 'Unique IP Addresses' from log where EventID=0x20001 and 
ClientTimestamp> (unix_timestamp()-3600) group by Textl order by 'Total Attempts' DESC limit 10; 


Result 


MySQL returns the results as follows: 


+ + + + 
4 
Username Total Attempts | Unique Passwords | Unique IP Addresses 
+ + + + 
7A 
samejones 399 2 
eltrijillo 78 1 
thelomb 21 2 2 
jstrec 26 1 
krg 11 
tes197 11 1 
elvin-v H 1 
daveknub 10 1 
dannyjes 10 1 
samiam 10 1 
+ + + + 
+ 


10 rows in set (10.92 sec) 
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Optimizing Your Queries 


There are two basic ways you can optimize your queries. 
+ “Query with an Index” on page 171 
+ “Minimize Query Data” on page 172 


The following sections give more detail on these options. 


Query with an Index 


Any query that uses an index is faster than one that does not. Un-indexed queries can be slow and 
might require excessive CPU cycles. 


The Nsure Audit table structure includes indexes on the Event ID and ClientTimestamp fields. If 
necessary, you can create indexes for additional table fields. 


To determine if a query has an index, use the following command line: 

explain query string\G 

The \G parameter simply makes the output more attractive. 

For example, if you enter the following command line for a query that does have an index, 
explain select eventid, count (eventid) from log group by eventid\G; 


MySQL returns the following: 


KKK KKK KKK KKK KKK KKK KKKKKKKAKK TL row KAR KKK KKK KKK KKK KKK KKK KKK KKK 


table: log 


type: index < 
possible_keys: NULL 
key: EventIDIndex <-- 


key_len: 9 


ref: NULL 


rows: 3265918 


Extra: Using index <-- 


1 row in set (0.00 sec) 


On the other hand, if you enter the following command line for a query that does not have an index, 
explain select component, count (component) from log group by component\G; 
MySQL returns the following: 

KAEKKKKKKKKKKKKKKKKKKKKKEK KKK 1 . row KEKKKKKKKKKKKKKKKKKKKKKKKKK 

table: log type: ALL 

possible_keys: NULL 


key: NULL 
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key_len: NULL 
ref: NULL 


rows: 3289946 


Extra: Using temporary; Using filesort <-- No mention of an index 


1 row in set (0.00 sec) 


Minimize Query Data 


Another way you can optimize your queries is to minimize the amount of data your query acts on. 
For example, the following is an eDirectory™ Instrumentation query that returns all the user 
logins: 


Based on EventID: 
select textl from log where eventid=0x10301; 


To limit the query to only those user logins that occurred in the last hour, you would modify the 
query as follows: 


Based on EventID and Time: 


select textl from log where eventid=0x10301 
andClientTimeStamp> (unix_timestamp ()-3600) ; 


MySQL Miscellaneous Functions 


MySQL provides two functions that translate queried data into more useful formats: 
+ “SELECT INET _NTOA” on page 172 
+ “SELECT INET_ATON” on page 173 


SELECT INET_NTOA 


The IPAddress function translates a number into an IP address in dotted form. The function syntax 
is 


IPAddress (number) 

The IPAddress function expects the number to be in the INTEL* host byte order format. 
For example, if you enter this command line, 

select IPAddress (453261698) ; 


MySQL returns the following: 


+ + 


| IPAddress (453261698) | 


+ + 


| 130.57.4.27 | 


+ + 


1 row in set (0.00 sec) 
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SELECT INET_ATON 


The IP function translates an IP address into a number that can be stored in a database. The 
function syntax is 


IP (ip_address) 

The IP function translates the IP address into a number in the INTEL host byte order format. 
For example, if you enter this command line, 

select IP(130.57.4.27); 

MySQL returns the following: 


+ + 


| IP (130.57.4.27) | 


+ + 


| 453261698 | 


+ + 


1 row in set (0.00 sec) 
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Using Oracle with Nsure Audit 


This section contains basic information on setting up an Oracle database for use with Nsure Audit. 


Refer to your Oracle manual for information on the following: 


+ How to install Oracle 


+ How to create users and grant access rights within Oracle 


+ How to optimize Oracle 
+ Query syntax 


+ Repairing an Oracle database 


Configuring the Database 


4 If your Oracle database is not hosted on your Nsure Audit server, install the Oracle client tools 
on your Nsure Audit server. The client tools are included with the Oracle database installation. 


2 Download the JDBC driver for your Oracle database from http://otn.oracle.com/software/ 
tech/java/sqlj_jdbc/index.html (http://otn.oracle.com/software/tech/java/sqlj_jdbc/ 
index.html) . The .zip file you download must be renamed with a .jar extension and copied to 
the tomcat/common/lib folder of the server hosting the Nsure Audit ¡Manager plug-in. This 
jar file enables you to create JDBC connections to Oracle. 


3 On Linux, create the following environment variable: 


export LD_LIBRARY_PATH=SORACLE 


__HOM 


E/lib:/lib:/usr/lib:/usr/local/lib 


4 In Oracle, create an Nsure Audit database, and create an Nsure Audit database user. The 
necessary table is created automatically by the Oracle channel driver on initial connection. 


Setting Up a Remote Connection 


This section contains brief instructions on creating an Oracle SID using the Oracle Net 
Configuration Assistant. See the documentation for your Oracle database or your database 


administrator for additional help. 


1 Start the Oracle Net Configuration Assistant. This is installed as part of the Oracle client tools. 


2 Select Local Net Service Name Configuration. 


3 Select Add. 


4 Select your Oracle version, then enter the name of the database service. This name should 
match the SID name displayed in the Oracle Enterprise Manager Console. 


5 Select TCP. 


6 Enter the host and port of your Oracle server, then verify your credentials. 


Using Oracle with Nsure Audit 175 


The SID name you just created is provided as the Name parameter when creating an Oracle 
log channel object. 


Creating the Oracle Channel Object 


Instructions for creating the Oracle channel object are contained in “Oracle Channel Object” on 
page 89. 


Establishing a JDBC Connection to Oracle 


JDBC database connections are used when performing queries in iManager. These steps assume 
you have completed step 2 in “Configuring the Database” on page 175, and the required JDBC 
JAR file is in the classpath of your iManager server. 


1 Log in to iManager. 
2 Select the Nsure Audit Role > Query Configuration task. 
3 Click the New link to add a new Database. 


4 Follow the instructions in the online help to create the database entry. 


Establishing an ODBC Connection to Oracle 


An ODBC connection to Oracle is required to use Nsure Audit Report (LReport), and other 
windows-based querying tools. See the Oracle ODBC Drivers Web site (http://otn.oracle.com/ 
tech/windows/odbc/index.html) for details on obtaining, installing, and using the Oracle ODBC 
drivers. 
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Using Microsoft SQL Server with Nsure Audit 


This section contains basic information on setting up a Microsoft* SQL Server database for use 
with Nsure Audit. 


Refer to your SQL Server manual for information on the following: 
+ How to install SQL Server 
+ How to create users and grant access rights within SQL Server 
+ How to optimize SQL Server 
+ Query syntax 


+ Repairing an SQL Server database 


Configuring the Database 


4 If your SQL Server database is not hosted on your Nsure Audit server, install the SQL Server 
client tools on your Nsure Audit server. The client tools are included with the Microsoft SQL 
Server database installation. 


2 Download the JDBC driver for your SQL Server database from http://www.microsoft.com/ 
sql/downloads . After installation, copy the mssqlserver.jar file to the tomcat/common/lib 
folder of the server hosting the Nsure Audit ¡Manager plug-in. This jar file enables you to 
create JDBC connections to SQL Server. 


3 In SQL Server, create an Nsure Audit database, and create an Nsure Audit database user. 


Creating the Microsoft SQL Server Channel Object 


Instructions for creating the SQL Server channel object are contained in “Microsoft SQL Server 
Channel Object” on page 98. 


Establishing a JDBC Connection to Microsoft SQL Server 


JDBC database connections are used when performing queries in iManager. These steps assume 
you have completed step 2 in “Configuring the Database” on page 177, and the required JOBC 
JAR file is in the classpath of your iManager server. 


1 Log in to iManager. 
2 Select the Nsure Audit Role > Query Configuration task. 
3 Click the New link to add a new Database. 


4 Follow the instructions in the online help to create the database entry. 
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Establishing an ODBC Connection to Microsoft SQL Server 


An ODBC connection to Microsoft SQL Server is required to use Nsure Audit Report (LReport), 
and other windows-based querying tools. See the Microsoft SQL Server Web site (http:// 
www.microsoft.com/sql/default.asp) for details on obtaining, installing, and using the Microsoft 
SQL Server ODBC drivers. 
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Using JDBC Data Stores with Nsure Audit 


Nsure Audit has the ability to send events to any JDBC-enabled data store. For performance 
reasons, we recommend using only the channels discussed in “Data Store” on page 27 as the 
primary log channel, and use JDBC datastores for notifications. 


When using a JDBC data store, be aware of the following: 
+ The server hosting your JDBC data store must have JVM 1.4.1 or later. 


+ On Linux and Solaris platforms, you need to export LD_LIBRARY_PATH to the path of the 
server JVM. To do this, create /etc/profile.local if it does not exist, and add an export line 
similar to the following: 


export LD_LIBRARY_PATH=/usr/lib/java/jre/lib/i386/server:/usr/lib/java/ 
jre/lib/i386/ 


Replace /usr/lib/java with the full path to the Java runtime environment, for example, /usr/lib/ 
SunJava2-1.4.1. 


+ When creating the JDBC channel object in the Nsure Audit ¡Manager plug-in, if you JDBC 
datastore is hosted on Linux or Solaris, Java classpath entries must be seperated by a colon. If 
your JDBC datastore is hosted on NetWare or Windows, Java classpath entries must be 
separated by a semicolon. 


Configuring the Database 


1 Install and configure any JDBC-enabled data store according to the instructions provided by 
the vendor. 


2 Copy all required Java Archive files (.jar) to the tomcat\4\common\lib folder of the server 
hosting the Nsure Audit ¡Manager plug-in. 


3 In the JDBC-enabled datastore, create an Nsure Audit database and a database user. 


Creating the JDBC Channel Object 


Instructions for creating the Oracle channel object are contained in “JDBC Channel Object” on 
page 96. 
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Commands and Utilities 


This section reviews the startup commands and utilities used with Novell® Nsure™ Audit. 
+ “Platform Agent Startup” on page 181 
+ “Logging Cache Module Startup” on page 181 
+ “Secure Logging Server Startup Commands” on page 182 
+ “Starting and Stopping the Secure Logging Server on NetWare” on page 182 
+ “Starting and Stopping the Secure Logging Server on Windows” on page 183 
+ “Starting and Stopping the Secure Logging Server on Linux” on page 183 
+ “Starting and Stopping the Secure Logging Server on Solaris” on page 183 
+ “NetWare and eDirectory Instrumentation Startup Commands” on page 183 


+ “Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare” on 
page 184 


¢ “Starting and Stopping the eDirectory Instrumentation on Windows” on page 185 

+ “Starting and Stopping the eDirectory Instrumentation on Linux and Solaris” on page 185 
+ “AuditExt” on page 185 
+ “AudCGen” on page 187 
+ “LETrans” on page 189 


Platform Agent Startup 


The Platform A gent (logevent) is the client portion of the Nsure auditing system. It must be 
installed on every server or workstation running applications that log events to Novell Nsure 
Audit. 


Logevent is a shared library that is automatically loaded by its local logging applications. 
Consequently, it does not need to be manually loaded or unloaded. 


Logging Cache Module Startup 


The Logging Cache Module (Icache) writes events to the Disconnected Mode Cache if the 
connection between the Platform Agent and the Secure Logging Server fails. It is installed with 


logevent on every server or workstation running applications that log events to Novell Nsure 
Audit. 


On NetWare® and Windows, logevent automatically loads lcache. On Linux, the eDirectory 
instrumentation, auditds, automatically loads lcache. In some circumstances, on Linux and Solaris 
systems, Icache must be manually loaded. 
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To load Icache on Linux systems, enter 
/opt/novell/naudit/lcache 
To load Icache on Solaris systems, enter 


/opt/NOVLnaudit/lcache 


IMPORTANT: Do not unload Icache. Even if the local logging applications are no longer running, Icache must 
stay loaded so it can upload cached data to the Secure Logging Server. To prevent the Logging Cache Module 
from being unloaded, you can set the LogCacheUnload setting to No in the logevent file. For more information, 
see “Logevent” on page 52. 


Secure Logging Server Startup Commands 


The Secure Logging Server (lengine) is the server component in the Nsure auditing system. It is 
installed on the server you want to manage the flow of information to and from the auditing 
system. 


Lengine automatically loads MDB, the Directory interface. Before starting the logging server, 
MDB verifies if Novell eDirectory™ is ready. If eDirectory is not ready, the logging server does 
not load. 


NOTE: On Windows systems, the logging server loads, but it automatically falls back to Windows registry 
configuration. 


The startup commands for NetWare, Windows, Linux, and Solaris systems are reviewed in the 
following sections. 


¢ “Starting and Stopping the Secure Logging Server on NetWare” on page 182 
+ “Starting and Stopping the Secure Logging Server on Windows” on page 183 
+ “Starting and Stopping the Secure Logging Server on Linux” on page 183 

+ “Starting and Stopping the Secure Logging Server on Solaris” on page 183 


Starting and Stopping the Secure Logging Server on NetWare 


On NetWare, the startup script for the Secure Logging Server is included in the auditsvr.ncf file. 
Auditsvr.ncf is added to the server’s autoexec.ncf file during installation so lengine.nlm loads each 
time the server restarts. 


To manually load the Secure Logging Server on NetWare, enter 
load lengine 

or 

load auditsvr.ncf 


If you want to prevent the Secure Logging Server from being unloaded by users with access to the 
server console, you can append the -n switch to the server startup script. (For example, 
load lengine -n .) 


To manually unload the Secure Logging Server on NetWare, enter 


unload lengine 


NOTE: Lengine.nim and auditsvr.ncf are located in the sys:\system directory. 
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You must individually start or stop each logging server in the tree. 


Starting and Stopping the Secure Logging Server on Windows 


On Windows, the startup script for the Secure Logging Server is included in the naudit.exe file. 
Naudit.exe has an Automatic startup type so lengine.exe loads each time the server restarts. 


To manually load or unload the Secure Logging Server on Windows, you must start or stop the 
Novell Nsure Audit Manager service: 


4 Click Start > Settings > Control Panel. 
2 Open the Services window. 
+ On Window NT, select Services. 
+ On Windows 2000 and XP, select Administrative Tools > Services. 


3 In the list of installed services, right-click Novell Nsure Audit Manager, then select Start or 
Stop. 


You must individually start or stop each logging server in the tree. 


Starting and Stopping the Secure Logging Server on Linux 


On Linux, the startup script for the Secure Logging Server is /etc/init.d/novell-naudit . This startup 
script loads lengine each time the server restarts. 


To manually start the Secure Logging Server on Linux, enter 
/etc/init.d/novell-naudit start 

To stop the Secure Logging Server on Linux, enter 
/etc/init.d/novell-naudit stop 


You must individually start or stop each logging server in the tree. 


Starting and Stopping the Secure Logging Server on Solaris 


On Linux, the startup script for the Secure Logging Server is /etc/init.d/naudit . This startup script 
loads lengine each time the server restarts. 


To manually start the Secure Logging Server on Solaris, enter 
/etc/init.d/naudit start 

To stop the Secure Logging Server on Solaris, enter 
/etc/init.d/naudit stop 


You must individually start or stop each logging server in the tree. 


NetWare and eDirectory Instrumentation Startup Commands 


The NetWare and eDirectory Instrumentations for Novell Nsure Audit (auditNW and auditDS, 
respectively) allow Nsure Audit to log NetWare, eDirectory, and file system events. 
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For information on selecting which events you want Novell Nsure Audit to log, see Chapter 6, 
“Logging eDirectory, NetWare, and File System Events,” on page 69. 


To enable NetWare and file system logging, auditNW must be loaded on every server on which 
you want to log NetWare and file system events. To avoid receiving duplicate entries for 
eDirectory events, enable the do not sent replicated events option. To enable this, open the Nsure 
Audit tab of your NCP Server object and check the "Do not send replicated events" checkbox. To 
log non-replicated events (such as logins), it must be installed on each individual server for which 
you want to log non-replicated events. 


Additionally, the Platform Agent must be installed on every server on which you want to log 
NetWare, file system, and eDirectory events. AuditNW and auditDS automatically load the 
Platform Agent (logevent) to send events to the Secure Logging Server. 


Typically, auditNW and auditDS should be automatically loaded each time the server or 
workstation restarts. However, you can also manually load or unload the instrumentation files. The 
following sections review the instrumentation startup commands for NetWare, Windows, Linux, 
and Solaris systems. 


+ “Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare” on 
page 184 


¢ “Starting and Stopping the eDirectory Instrumentation on Windows” on page 185 


+ “Starting and Stopping the eDirectory Instrumentation on Linux and Solaris” on page 185 


Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare 


NOTE: At server startup, the NetWare and eDirectory instrumentations should be loaded as soon as possible, 
but they must be loaded after TCP/IP. 


On NetWare, the startup scripts for auditNW and auditDS are included in the auditagt.ncf file. 
Auditagt.ncf is added to the server’s autoexec.ncf file during installation. Therefore, the NetWare 
and eDirectory Instrumentations automatically load each time the server restarts. 


If you want to prevent auditNW or auditDS from being unloaded by users with access to the server 
console, you can append the -n switch to the agent startup scripts. (For example, load auditnw -n .) 


To manually start the NetWare or eDirectory Instrumentation on NetWare, enter 
load auditnw 

or 

load auditds 

To load both the NetWare and eDirectory Instrumentations, enter 

load auditagt.ncf 

To stop the NetWare and eDirectory Instrumentations on NetWare, enter 
unload auditnw 


unload auditds 


NOTE: auditnw.nlm, audit.ds, and auditagt.ncf are located in the sys:\system directory. 


You must individually start or stop the instrumentations on each server in the tree. 
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Starting and Stopping the eDirectory Instrumentation on Windows 


On Windows, the eDirectory Instrumentation is managed through the Novell eDirectory Services 
utility. By default, the eDirectory Instrumentation must be manually loaded on one server per DS 
Replica. 


To manually load or unload the eDirectory Instrumentation on Windows: 
1 Load ndscons.exe. 
ndscons.exe is usually in the \novell\nds\ directory. 
2 In the list of installed services, select the Novell Nsure Audit Component. 
3 Click Start or Stop. 
To configure nauditDS.dlm to load each time the server restarts: 
1 Load ndscons.exe. 
ndscons.exe is usually in the \novell\nds\ directory. 
2 In the list of installed services, select the Novell Nsure Audit Component. 
3 Click Startup. 
4 Mark the Automatic startup type, then click OK. 


Starting and Stopping the eDirectory Instrumentation on Linux and Solaris 


On Linux and Solaris systems, the eDirectory Instrumentation must be manually loaded on one 
server per DS Replica. 


To manually start the eDirectory Instrumentation on Linux or Solaris, enter 
ndstrace -c “load auditds” 

To manually stop the eDirectory Instrumentation on Linux or Solaris, enter 
ndstrace -c “unload auditds” 

To automatically load the eDirectory Instrumentation each time the server restarts, add 
auditds auto #Nsure Audit Platform Agent 


to /usr/lib/nds-modules/ndsmodules.conf. 


NOTE: On Linux systems, the startup script is /etc/init.d/novell-naudit .On Solaris systems, the startup script 
is /etc/init.d/naudit . 


AuditExt 


The AuditExt utility adds Novell Nsure Audit objects (Logging Services and its associated 
containers, the Logging Server object, Channel objects, Notification objects, and Application 
objects) to the eDirectory schema. 


Logging applications use AuditExt to create their associated Application objects and to populate 
the Application objects’ log schema attribute. 


Novell Nsure Audit stores LSC files as attributes in their respective Application object. English 
LSC files are stored under the NAuditAppSchemaEn attribute, French LSC files are stored under 
the NAuditAppSchemaFr attribute, and so forth. 
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AuditExt is also required to uninstall Novell Nsure Audit. For information on this procedure, see 
“Uninstalling Novell Nsure Audit” on page 152. 


Using AuditExt to Extend the Schema 


The installation program uses AuditExt to extend the eDirectory schema during the initial 
installation. Under normal circumstances, the schema should only be extended one time. This is 
automatically done during the Novell Nsure Audit installation on the first server in the tree. 


If, for some reason, the initial schema extension fails, you can run AuditExt to extend the schema 
again. However, you should not try to extend the schema again until the first schema extension is 
fully replicated. 


NOTE: A common indicator that the Novell Nsure Audit schema extension has failed is when you create Nsure 
Audit objects, but the objects don’t get added to the tree. The tree doesn’t recognize the attribute even though 
you are able to create the objects in iManager. 


Another instance when you might need to run the AuditExt utility is to re-create the Logging 
Services container. If Logging Services is deleted from the tree, it can only be re-created by 
running AuditExt. 


To use AuditExt to extend the eDirectory schema or re-create the Logging Services container: 
1 Launch Auditext at the server console. 
+ On NetWare, enter sys: \system\auditext .nlm. 


+ On Windows, enter \program files\novell\nsure 
audit \auditext.exe. 


+ On Linux, enter /opt/novell/naudit/auditext. 
+ On Solaris, enter /opt /NOVLnaudit /auditext. 
2 Specify your admin username and password. 
3 Select Add Schema Extensions, then press Enter. 
AuditExt adds the Nsure Audit objects to the eDirectory schema. 


Using AuditExt to Add LSC Files to Application Objects 


During their installations, logging applications use the AuditExt utility to automatically create 
their associated Application objects and to populate the Application objects’ log schema attribute. 
However, if you modify or localize a Log Schema (LSC) file, you can manually add it to the 
Application object by running the AuditExt utility at the server console. 


To add a log schema to an Application object at the server console, enter the following command: 


auditext -lsc -u:usernam p:password "-a:Application_object" -f:LSC_file -1l:language 


NOTE: If the path to the LSC file contains spaces, enclose the path and the -f flag in quotation marks. For 
example, "-f:c:/my files/myapp.Isc". 


The following is a sample command that adds the English edir.Isc file to the eDirectory 
Instrumentation Application object: 


auditext -lsc -u:admin -p:argl "-a:eDirectory Instrumentation" -f:\temp\edir.lsc -l:en 
AuditExt requires that the first line of all LSC files is formatted as follows: 


+"object_name”Application_ID”"Application_Identifier” language_identifier 
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Each parameter is explained below. 


Parameter Description 

object_name The string that is used as the name of the Application 
object. 

Application_ID The four-digit hex value assigned to the current 
application. 


All Application IDs are assigned through Novell Developer 
Support and are maintained in the Novell Nsure Audit 
central registry. 


Application_Identifier The name the logging application uses to identify itself to 
the logging server. 


The Application Identifier is stored in the application’s 
certificate. 


language_identifier A two-character code for the current LSC file’s language. 
+ EN = English 
+ ES = Spanish 
+ FR = French 
+ DE = German 
+ IT = Italian 
+ PT = Portuguese 


+ RU = Russian 


If no path is given, AuditExt looks for the log schema files in the working directory of AuditExt. 
By default, schema log files are contained following directories: 


Operating System Directory 

NetWare sys:\system\naudit\* Isc 

Windows \program files\novell\nsure audit\logschema\*.Isc 
Linux /opt/novell/naudit/logschema/*.Isc 

Solaris /opt/NOVLnaudit/logschema/*.Isc 


AudCGen 


AudCGen is a command line utility that generates custom x.509 certificates for the Secure 
Logging Server and logging applications. Novell Nsure Audit uses certificates to authenticate 
logging applications and sign events. For more information on generating certificates, see Chapter 
11, “Security and Non-Repudiation,” on page 139. 


The AudCGen syntax is as follows: 


audcgen -cert: filenam pkey: filename [-f] [base:directory] [-bits:number] [-serial:number] 
[-valid:days] {-ss | appcert: filenam apppkey: filename -app:Application_Identifier | -v 
-out:target_certificate} 
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The following table reviews each of the command parameters. 


Parameter Description 
-cert : filename The path and filename for the Secure Logging Certificate. 
The default path and filename is base/cacert.pem . 


-pkey: filename The path and filename for the Secure Logging Certificate’s 
private key. 


The default path and filename is base/capkey.pem . 


[-f] Force overwrite. 


AudCGen overwrites any existing certificates or private keys of 
the same name (for example, cacert.pem and capkey.pem or 
appcert.pem and apppkey.pem) in the output directory. 


This parameter is optional. 


If you do not use the -f parameter and there is an existing 
certificate of the same name, AudCGen aborts. 


[base: directory] The default directory for the certificate and private key files. 


By default, base is the root directory. This parameter is 
optional. 


If you do not designate a base directory, you can include the 
directory in the certificate and private key strings. 


[-bits: number] The number of bits for the certificate. 


The default is 512; however, Novell Nsure Audit can handle 
certificates up to 1472 bits. 


[-serial: number] This parameter assigns a serial number to the current 
certificate. You can use this option to keep track of your 
system’s certificates. 


This parameter is optional. 
[-valid: days] The certificate’s expiration in days. 


The current iteration of Novell Nsure Audit does not verify if a 
certificate is valid. 


-SS Self-sign. 


AudCGen generates a self-signed CA certificate and key. 


appcert:filenam The output path and filename for the Logging Application 
Certificate. 


The default path and filename is base\appcert.pem. 


apppkey:filenam The output path and filename for the Logging Application 
Certificate. 


The default path and filename is base\apppkey.pem. 
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LETrans 


PAConfig 


Parameter Description 


-app:Application_Identifier The logging application’s Application Identifier. 


This value must match the Application Identifier stored the 
logging application's Application object. 


-v Validate. 


AudCGen validates the certificate designated in the -out 
parameter. 


-out :target_certificate The path and filename for the certificate you want to validate. 


The default path and filename is base\*.pem 


LETrans is a command-line utility that translates raw text log files into human-readable form. It 
also includes the ability to query an ODBC datasource on your Windows machine, then translate 
and format the output. 


The LEtrans utility takes no parameters; it is configured using the letrans.cfg file. The letrans.cfg 
file contains a description of each LETrans configuration option. 


To Launch LETrans: 


1 Open letrans.cfg in a text editor. LETrans and letrans.cfg are located in the following 
directories: 


+ On NetWare, sys:\system\naudit 
+ On Windows, \program files\novell\nsure audit 
+ On Linux, /opt/novell/naudit 
+ On Solaris, /opt/NOVLnaudit 
2 List the path and name of each untranslated log file in the source files section. 


3 Add the path to the log schema file (.lsc) for any additional instrumentations you are using in 
the schema section. 


4 Save letrans.cfg, then execute LETrans from the server. 


The Platform Agent Configuration Tool provides a graphical interface to manage Nsure Audit 
Platform Agents. This tool operates by making changes to the logevent.cfg file, which contains 
configuration settings for the Platform Agent. 


To make configuration changes, you can either open and edit an exisiting logevent.cfg 
configuration file, or create a new logevent.cfg file. When your changes are complete, the updated 
file must be saved in the correct location for your changes to be applied. 


For a description of each available parameter, see “Logevent” on page 52. 
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Running the Platform Agent Configuration Tool 


To use the Platform Agent Configuration Tool, you must have a Java* Runtime Environment 
(JRE) installed on your workstation. It is also helpful to add the location of your JRE to the path 


environment variable, though this isn’t required if you specify the full path to the Java executable 
in step 2. 


1 Locate the Platform Agent Configuration tool Java Archive file (jar). By default it is installed 
in the following location: 


+ Netware: Sys:\system\naudit\paconfig.jar 

+ Linux: /opt/novell/naudit/paconfig jar 

+ Windows: \program files\novell\nsure audit\paconfig. jar 
+ Solaris: /opt/NOVLnaudit/paconfig.jar 


2 Launch the Platform Agent Configuration tool by executing the following command at a 
console, from the folder you located in step 1: 


java -jar nauditpaconfig.jar 
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File Descriptions and Locations 


This section provides a listing of the Novell® Nsure™ Audit program files and their locations on 
each operating system. 


+ “Program Files” on page 191 


+ “Program Filenames and Directories” on page 193 


Program Files 


The following table lists the program files, their associated components, and their functions. 


See “Program Filenames and Directories” on page 193 for a breakout of program filenames by 
operating system. 


File Program Component Function 


auditagt.ncf Auditagt.ncf contains the startup script for the Novell 


eDirectory™ and NetWare® Instrumentations. It is added to the 
logging server’s autoexec.ncf file during installation. 


auditDS eDirectory Instrumentation The auditDS module hooks into the eDirectory event system. It 
logs all events configured under Nsure Audit > eDirectory in the 
NCP Server object. 


For more information, see “eDirectory Events” on page 71. 


IMPORTANT: On Windows, auditDS must be located in the 

same directory as the directory database set (DIB). By default, 
the DIB is located in \novell\nds\ . On UNIX, auditDS must be 
in /usr/lib/nds-modules . 


auditext A utility used to add or remove the Nsure Audit objects and 
attributes from the eDirectory schema. Auditext is used by the 
installation program to extend the eDirectory schema during 
installation. 


For more information, see “AuditExt” on page 185. 


auditNW NetWare Instrumentation (for The auditNW module hooks into the NSS, Traditional File 
NetWare only) System, and NetWare event systems. It logs all events 
configured under Nsure Audit > Filesystem or 
Nsure Audit > NetWare in the NCP Server object. 


For more information, see “NetWare Events” on page 71 and 
“File System Events” on page 71. 


File Descriptions and Locations 191 


File Program Component 


auditsvr.ncf 


Icache Logging Cache Module for the 
Platform Agent 

lengine Secure Logging Server 

letrans LETrans 

Igdevr Critical Value Reset (CVR) channel 
driver 

Igdfile File channel driver 

Igdjava Java channel driver 

Igdmsql MySQL channel driver 

Igdora Oracle channel driver 

Igdsmtp SMTP channel driver 

Igdsnmp SMNP channel driver 
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Function 


Auditsvr.ncf contains the startup script for the Secure Logging 
Server. It is added to the logging server’s autoexec.ncf file 
during installation. 


The Logging Cache Module enables the Platform Agent to 
temporarily log incoming information to its Disconnected Mode 
Cache. 


For more information on configuring the disconnected mode 
cache, see “Configuring the Platform Agent” on page 51. 


The Secure Logging Server is the server component in the 
Nsure auditing system. It manages the flow of information to 
and from the Nsure auditing system. It receives incoming 
events and requests from the Platform Agents; logs information 
to the data store; monitors designated events; and provides 
filtering and notification services. 


For more information, see “Configuring the Secure Logging 
Server” on page 54. 


A utility designed to convert raw data files logged by the file 
channel, into a readable, delimited format. 


The CVR channel allows you to flag an attribute in eDirectory 
with a reset policy. If the value of that specific attribute is 
changed, the CVR channel driver resets the value as per the 
policy defined in the CVR Channel object. 


For more information, see “CVR” on page 79. 


The File channel driver writes events to a flat file in the file 
system. The driver can be configured to provide a single, 
comma-separated file (*.csv) or a human-readable log file. 


For more information, see “File” on page 81. 


The Java channel driver allows the logging server to output 
filtered events to a Java application. 


For more information, see “Java” on page 84. 


The MySQL channel driver writes events to a MySQL 
database. 


For more information, see “MySQL” on page 85. 


The Oracle channel enables the logging server to log events to 
an Oracle database. 


For more information, see “Oracle” on page 88. 


The SMTP channel driver e-mails events to a designated relay 
host. 


For more information, see “SMTP” on page 90. 


The SNMP channel driver sends events to an SNMP 
management system. 


For more information, see “SNMP” on page 92. 


File 


Igdsyslog 


log 


logevent 


logevent.cfg 
logevent.conf 


Ireport 


mdb 


mdbds 
mdbreg 


naudit 


nproduct.log 


Program Component 


Syslog channel driver 


File channel log file 


Platform Agent 


Platform Agent configuration file 


Nsure Audit Report program file 


Interface to Novell eDirectory, the 
Windows registry, the file system, or 
other systems 


Function 


The Syslog channel driver allows the logging server to log 
events to a specific syslog facility on any syslog host or to a 
remote syslog daemon. 


For more information, see “Syslog” on page 94. 
The filename for the File Channel data store. 


The Platform Agent is the client component in the Nsure 
auditing system. It receives logging information and system 
requests from individual applications and transmits the 
information to the Secure Logging Server. 


For more information, see “Configuring the Platform Agent” on 
page 51. 


A text-based configuration file that stores the local Platform 
Agent's configuration settings. Every computer running the 
Platform Agent has its own logevent.cfg file. 


For more information on the configuration settings and file 
location, see “Configuring the Platform Agent” on page 51. 


Nsure Audit Report is a Windows-based, ODBC-compliant 
application that can query Oracle and MySQL data stores (or 
any other database that has ODBC driver support). 


MDB is a simple API that provides all the functionality required 
to access and manipulate a variety of hierarchical databases 
(for example, eDirectory, the Windows registry, the file system, 
or other systems). 


The MDB API allows Novell Nsure Audit to become 
independent of the actual database. 


The underlying concepts of MDB are similar to ODBC, though 
the functionality differs. 


MDBDS is the MDB driver for eDirectory. 
MDBREG is the MDB driver for the Windows Registry. 


Naudit contains the startup script for the Secure Logging 
Server on Windows, Linux, and Solaris systems. 


Nproduct.log contains any errors that have been logged during 
startup on Windows systems. 


Program Filenames and Directories 


The following link takes you to a table listing the Nsure Audit program files and their locations by 


operating system: 


Nsure Audit Filenames and Directories (http://www.novell.com/documentation/lg/nsureaudit/ 


html/filenames_table.htm) 
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Documentation Updates 


This section contains information on documentation content changes that have been made in the 
Administration Guide for Novell Nsure Audit since the initial release of Novell Nsure Audit 1.0. 
This information will help you to keep current on updates to the documentation. 


If you have not used Novell Nsure Audit 1.0 or Nsure Audit 1.0.1 you do not need to review this 
section. 


All changes that are noted in this section were also made in the documentation. The documentation 
is provided on the Web in two formats: HTML and PDF. The HTML and PDF documentation are 
both kept up-to-date with the documentation changes listed in this section. 


The documentation update information is grouped according to the date the changes were 
published. Within a dated section, the changes are alphabetically listed by the names of the main 
table of contents sections for Novell Nsure Audit 1.0.2. 


If you need to know whether a copy of the PDF documentation you are using is the most recent, 
the PDF document contains the date it was published on the front title page or in the Legal Notices 
section immediately following the title page. 


The documentation was updated on the following dates: 
+ “November 10, 2004” on page 195 
+ “August 2, 2004” on page 196 
+ “November 26, 2003” on page 197 


November 10, 2004 


Update were made to the following sections. The changes are explained below: 
+ “Clarified JDBC Channel Set Up Instructions” on page 195 
+ “Updated Troubleshooting Section” on page 195 


Clarified JDBC Channel Set Up Instructions 


See Appendix E, “Using JDBC Data Stores with Nsure Audit,” on page 179 


Updated Troubleshooting Section 


The following topics were added to troubleshooting: 
+ “Nsure Audit Events Sent During Initialization are Not Logged to the Data Store” on page 151 
+ “Nsure Identity Manager 2 DR1 Update required to Use Nsure Audit 1.0.2” on page 152 
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August 2, 2004 


Updates were made to the following sections. The changes are explained below. 
+ “Additional Database Setup Instructions” on page 196 
+ “Updated Event Fields Reference” on page 196 
+ “Microsoft SQL Server Support” on page 196 
+ “Updated Platform Agent Configuration Reference” on page 196 
+ “PAConfig Utility” on page 196 
+ “WebAdmin References Removed” on page 196 


Additional Database Setup Instructions 


Several new appendices were added to provide additional information to set up additional data 
stores with Nsure Audit. See: 


+ Appendix B, “Using MySQL with Nsure Audit,” on page 165 

+ Appendix C, “Using Oracle with Nsure Audit,” on page 175 

+ Appendix D, “Using Microsoft SQL Server with Nsure Audit,” on page 177 
+ Appendix E, “Using JDBC Data Stores with Nsure Audit,” on page 179 


Updated Event Fields Reference 
In Nsure Audit 1.0.2, several additional event fields were added to enhance the querying and 
reporting features. These updated fields are described in Appendix A, “Log Events,” on page 155. 
Microsoft SQL Server Support 
Nsure Audit 1.0.2 provides support for using the Microsoft* SQL Server as an event repository. 
See “Microsoft SQL Server” on page 97 for details. 
Updated Platform Agent Configuration Reference 


The Platform Agent now has additional parameters, contained in logevent.cfg, enabling you to 
specify the maximum size ofthe Nsure Audit event cache, and specify the action Nsure Audit takes 
when this limit is reached (stop logging, drop cache, or generate a warning). 


See “Logevent” on page 52 for details. 


PAConfig Utility 


Details on the new graphical Platform Agent configuration utility were added. See “PAConfig” on 
page 189 for details. 


WebAdmin References Removed 


The WebAdmin interface is no longer supported in Nsure Audit 1.0.2. References to WebAdmin 
have been removed from this release of the documentation. 
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November 26, 2003 


Updates were made to the following sections. The changes are explained below. 
+ Activating Novell Nsure Audit 
+ Custom Query Macros 
¢ eDirectory Event Instrumentation 
¢ Linux and Solaris Startup Script Location 
+ Secure Logging Server on Windows XP 


+ Letrans Utility to Translate Raw Log Files 


Activating Novell Nsure Audit 
The Documentation was updated to contain information on Activating Novell Nsure Audit. See 
“Activating Novell Nsure Audit” on page 37. 

Custom Query Macros 
Several new custom query variables were implemented for use in Nsure Audit Report (LReport. 
For a complete list, see “Custom Query Macros” on page 131. 

eDirectory Event Instrumentation 


The eDirectory log schema documentation incorrectly contained an application ID of 0001, 
instead of 000B. This was corrected, you can view the updated log schema documentation in 
“eDirectory Events” on page 71. 


Information on using the platform agent on multiple eDirectory servers has been clarified, see 
“eDirectory Instrumentation” on page 36 for details. 
Linux and Solaris Startup Script Location 


The Linux and Solaris startup scripts are in new locations. See “Starting and Stopping the Secure 
Logging Server on Linux” on page 183 and “Starting and Stopping the Secure Logging Server on 
Solaris” on page 183 for details. 


Secure Logging Server on Windows XP 


Windows* XP is a client release of the Windows operating system and it is not licensed to perform 
server functions. Therefore, Windows XP was removed as a supported platform for the Secure 
Logging Server. The Platform Agent is still supported on Windows XP. 


Letrans Utility to Translate Raw Log Files 


Information about translating raw log files logged by the file channel has been added, see 
“Working with Data Logged by the File Channel” on page 137 for details. 
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Glossary 


ACL (Access Control List) 


administrative tool 


alert 


Audit policy 


auditing service 


central data store 


channels 


channel object 


event 


event collection 


A list of the services available on a server. Also listed are the hosts permitted to use each service. 


The user interface in which product configuration and management tasks are performed. For 
Novell® Nsure™ Audit, the administrative tools is iManager. 


An audible or visual alarm (such as a phone call, instant message, page, siren, flashing light, e- 
mail, etc.) intended to inform a system's users and administrators about a policy violation, a change 
in the operating conditions of a system, or some kind of error condition. 


A policy that determines which events should be logged to the data store and how those events 
should be monitored. 


A distributed service that aggregates events from many sources and provides monitoring, logging, 
and reporting to facilitate analysis of the collected data. This is the “engine” of the product. 


The data store that contains every event logged to the system. Novell Nsure Audit logs all events 
to the central data store before any other action is performed. 


The communication paths that Novell Nsure Audit uses to log system events and provide event 
notification. 


Objects used to store the information the logging server needs to use a certain channel. For 
example, MySQL Channel objects include the IP address or host name of the MySQL database 
server, a username and password to connect to the server, the database and table names, and other 
relevant information. SMTP Channel objects, on the other hand, include the IP address or host 
name of the SMTP server, a username and password, and message information (the message 
recipients, sender, subject, and body). 


Data provided to the Auditing Service to be logged. This includes any significant occurrence in 
the system or its logging applications such as starting and stopping services, logging users on and 
off, accessing resources, granting access rights, and so forth. 


The process of gathering events and storing them in the central data store and filtered data stores. 
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event log 


event store 


forensics 


instrument 


instrumentation 


log entry 


log level 


logging 


logging application 


A collection of audit entries that make up an audit trail. Also, the destination file for audit entries 
or logged events. 


A generic reference to any collection of one or more event logs in a directory or database. 


A general term referring to the preservation, identification, extraction, and documentation of 
computer evidence from relevant logging applications. 


The process of configuring an application’s events so they conform to the Novell Nsure Audit 
standardized event structure. 


A logging application that can report events to Novell Nsure Audit. Logging applications must 
report events using the Novell Nsure Audit program’s standardized event structure. 


A recording of a system event in a log file, typically in a standard text or marked-up text format 
such as TXT, XML, and so forth. 


A mandatory component of an event that contains a descriptive severity level of the event. Log 
levels are 8 bits. 


Persistent storage of historical data. 


A generic term used to refer to any application that logs events to the Novell Nsure Audit for the 
purpose of leveraging its auditing, reporting, monitoring, or notification services. 


logging application certificate 


The certificate at the logging application. Logging application certificates must be signed by the 
logging server certificate. This is done using the AudCGen utility. 


logging server certificate 


monitor 


monitoring 


The certificate at the logging server. 


A user interface or a collection of user interfaces for viewing the real-time status of one or more 
aspects of a system or set of systems. A monitor can refer to a single gauge or a cluster of gauges. 
See “named view” on page 201. 


The act of viewing data in real time. The data is exposed through a program or set of programs 
used to oversee computer-based systems and networks for the purpose of tracking usage or 
identifying, reporting on, and solving problems at the earliest possible stage. Typically, different 
tools are used to monitor individual system components, although the individual monitors might 
feed information to a higher-level monitor in order to encompass an entire computing 
environment. 
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named view 


non-repudiation 


notification 


payload 


Platform Agent 


policy 


A view of a set of one or more monitors that has been named and saved, and can be configured and 
deployed to a specific user or set of users based on their role in the organization. For example, if 
an administrator wanted a specific set of users to see how many new users were added to an HR 
application, the monitor for the HR application could be placed in a view named “New 
Employees.” Rights to access these named views can then be managed based on roles. 


Unforgeable evidence that a specific action occurred. 


This differs slightly from the traditional legal meaning of non-repudiation, which refers to the 
irrefutable genuineness of a traditional signature. Non-repudiation services typically include non- 
repudiation of origin, non-repudiation of delivery, non-repudiation of receipt, and non-repudiation 
of submission. The purpose of non-repudiation, in conformance with ISO/IEC 13888-1, -2 and - 
3, is to provide verifiable proof or evidence recording of data, based on cryptographic check values 
generated by using symmetric or asymmetric cryptographic techniques. 


Non-repudiation of approval service provides proof of whom is responsible for approval of the 
content of a message. 


Non-repudiation of sending service provides proof of who sent a message. 
Non-repudiation of origin service is a combination of approval and sending services. 


Non-repudiation of submission service provides proof that a delivery authority has accepted a 
message for transmission. 


Non-repudiation of transport service provides proof for the message originator that a delivery 
authority has given the message to the intended recipient. 


Non-repudiation of receipt service provides proof that the recipient received a message. 


Non-repudiation of knowledge service provides proof that the recipient recognized the content of 
a received message. 


Non-repudiation of delivery service is a combination of receipt and knowledge services. It 
provides proof that the recipient received and recognized the content of a message. 


An automatically generated announcement or message intended to inform a system's users and/or 
administrators about a specific condition of the system. 


Application-specific event data that logging applications can include in their event structure, 
allowing Novell Nsure Audit to log more specific data. 


The operating system-level agent that handles event transport between logging applications and 
the Secure Logging server. 


An organization’s rules governing event logging, the data store, event notifications, reset actions, 
and so forth, or the implementation of these rules. Policy is usually something that is written down, 
such as in an operations manual. Policy is often enforced through a defined set of rules. 
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query results 


query 


report 


resource 


role 


rule 


secure auditing 


threshold 


trigger 


UTC 


The events returned from a data query. The information is presented in a data table; rows represent 
individual records and columns represent fields within those records. 


A request for specific information from the data store. In Novell Nsure Audit, queries are made 
using the SQL query language. 


A Crystal Decisions Report (*.rpt). Reports can graphically represent log data in pie charts, bar 
charts, and so forth. 


A specified right, privilege, or item that can be granted or revoked from a user. 


A function or position with associated rights and privileges dictating the operations a user is 
permitted to perform. Multiple roles can be assigned to one user. 


Repeatable process steps that are performed in a defined order, and result in the application of a 
policy. 


An auditing service where, the logged data and functioning are defensible in a court of law. 


A specified point that when exceeded begins producing a specified effect or result when it is 
exceeded. 


An act that sets in motion some course of occurrences. For example, an event that is found to be 
incongruent with business policy can be an impetus for action such as a notification or value reset. 


Coordinated Universal Time, also know as Universal time. UTC is kept within 0.9 seconds of 
GMT with leap seconds that are added to or omitted from official timekeeping systems annually 
to compensate for changes in the rotation of the earth. 


The abbreviation UTC is a language-independent international abbreviation which is neither 
English nor French. It means both “Coordinated Universal Time” and “Temps Universal 
Coordonné.” 


202 Novell Nsure Audit 1.0.2 Administration Guide 


